The dying days of 2015 brought with them major changes for data protection laws in Europe. On the 17th December, the European Parliament and Council published their final informal draft of the General Data Protection Regulation (GDPR), which is three years in the making and will replace the European Data Protection Directive (95/46/EC).

The GDPR has wide-reaching implications for global business and if you or your company process personal data in any way, shape or form, it’s likely that you will have to take steps to comply. By 2018 (at the latest) it will supersede national data protection law in all EU member states as well as Iceland, Lichtenstein and Norway.

What’s changed?

Processing your customers’ data will bring with it a heavier burden of compliance when the regulation comes into effect. The definition of personal data has been widened to encompass information on personal economic and social status. Crucially, the requirement for individuals to consent to their data being processed has become more onerous with the new regulation. It requires an unambiguous and freely given indication that the individual agrees to your processing of their data.

Data processors will be held directly liable for any breaches that occur during processing. This means that companies providing outsourced services or subcontract activities can now be held to the same standard as the data controllers who hire them. In addition, data controllers will be required to establish regulated controls – such as the use of pseudonyms as opposed to the real names of consumers, under certain circumstances – under the regulation.

One of the major changes introduced by the regulation is the gravity of the penalties for breaching these rules. It stipulates that companies in breach of the regulation can be fined as much as €20 million or up to 4% of a company’s annual worldwide turnover.

Will I be affected?

With these changes and the high penalties for failing to adhere to them in mind, it is vital that all companies consider whether any of their business practices would be considered ‘data processing’.

If you:

  • Profile your customers based on personal, economic or consumer data;
  • Monitor data on a large scale, for example, consumer habits; or
  • Gather customer data for purely automated processing

you will be affected by the changes under this regulation.

The new regulation also states that companies who do not have a physical presence in Europe but do deal with the data of European citizens will be liable as if they were situated within Europe. This means that the regulation affects data processing rules globally.

What can I do?

Whilst such an overhaul of data protection regulations is daunting, Devant can help you and your company to prepare for the coming changes. We can provide a detailed review or audit of your current data protection procedures and identify the key areas where change will be needed to comply with the incoming regulation. In addition to this, as a team of contract specialists we can work with you to generate the all-important contract between you and your clients to ensure that they have properly consented to your use of their data.

If you operate as a data processor or collect and analyse your customers’ data, get in touch! We’ll be pleased to work with you to ensure that you’re compliant with the General Data Protection Regulation and are fully prepared for its implementation.

Callum Sommerton