This year sees the 1995 Data protection directive brought up to date with a new EU-wide regulation that sees comprehensive reform of the 1995 directive that was developed to strengthen and unify privacy rights and data protection for individuals within the European Union.
The General Data Protection Regulation (GDPR) is a comprehensive reform of the EU’s 1995 data protection regulation, being developed to strengthen and unify online privacy rights and data protection for individuals within the European Union (EU) while streamlining the data protection obligations of businesses serving EU citizens through a single Regulation instead of 28 different National laws.
WHAT ARE THE CHANGES?
Key changes in the reform include:
- The right to know when one’s data has been hacked: Companies and or- ganisations must notify the national supervisory authority of data breaches which put individuals at risk and communicate to the data subject all high risk breaches as soon as possible so that users can take appropriate measures.
- Stronger enforcement of the rules: data protection authorities will be able to fine companies who do not comply with EU rules up to 4% of their global annual turnover.
- One continent, one law: a single, Pan-European law for data protection, re- placing the current patchwork of national laws. Companies will deal with one law, not 28. The benefits are estimated at €2.3 billion per year.
- Organisations must notify the national authority of serious data breaches as soon as possible (if feasible within 24 hours).
- EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens.
- Data protection by design and by default: ‘Data protection by design’ and ‘Data protection by default’ are now essential elements in EU data protec- tion rules. Data protection safeguards will be built into products and services from the earliest stage of development, and privacy-friendly default settings will be the norm.
By making Data Protection an essential, key element of the regulation The EU is making it mandatory for businesses to adequately protect sensitive personal data, defined as:
“any information relating to an identified or identifiable natural person hereinafter re- ferred to as ‘data subject’; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity;”
This broad definition of personal data easily covers the simplest records relating, even indirectly, to customers, clients, staff, pupils and any other record relating to an individual.