General Data Protection Regulation is Coming, 25 May 2018.

Call me a geek, but I absolutely love this stuff! On Wednesday 25 May 2018 new data laws will come into place across all 28 countries within the European Union (EU). The General Data Protection Regulation (GDPR) will affect all businesses operating within the EU and is set to change the way companies collect and use personal data.

As the world prepares for the new laws, there are three main things about the GDPR you need to know.

1. Extended territorial scope: All businesses collecting personal data of EU citizens are subject to the new data laws.
2. New financial penalties: Businesses will incur major financial penalties of 4% of annual global turnover, or €20 Million (whichever is greater) for breaches, including fines up to 2% of turnover for not having records in order, or failing to notify data breaches including breaches of information stored in the cloud.
3. Changes to consent: The new laws demand that organisations request for consent must be "given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent" (EUGDPR 2018).

New Data Subject Rights

One of the most significant changes is the introduction 'Data Subject Rights' which brings to the forefront user rights specifically relating to the collection and use of personal data. For so long, data subjects or users have been somewhat powerless when it came to consent of personal data, these laws set to dramatically shift the power back to the user. We are seeing the beginning of a new data economy which focuses of returning the power of personal data back to the user.

The six big changes that shift data transparency and empowerment to users:

1. Breach notification: These new laws seek to address global concern over data breaches by requiring that any data breach is notified within a 72 hour period.
2. Right to access: Data subjects will be able to access their personal data from data collectors, with organisations needing to be able to provide a copy of this data for free, in electronic format.
3. Right to be forgotten: Data subjects will be within their rights to request all personal data be deleted, ceasing further dissemination of their data, as well as enforcing any third party to stop processing their data.
4. Data portability: Data subjects will be able to use the data collected on them and transfer it to other data controllers.
5. Privacy by design: These new laws require the inclusion of data protection to be a consideration in system design from the beginning. Failing to comply and adding privacy consideration as an afterthought will incur significant financial penalties. Entrepreneurs, tech startups, developers and larger corporations who may have previously brushed these requirements under the carpet will now have to consider data protection from the outset or risk significant financial penalties. 
6. Data protection officers: A mandatory requirement of the new laws is the introduction of data protection officers to ensure organisations adhere to the new regulations, as well as providing a contact data subjects to contact with regards to accessing personal data collected about them. These laws will be regulated rather than simply written and forgotten.

Not operating within the EU? What it means to you.

These changes will create a ripple effect as the large internet giants respond to international pressure to conform. Apple, Google, Squarespace and many more have been releasing their changes this week in preparation of these new data laws. Changes to privacy policies, user agreements, personal data and assumed consent to third party developers will affect all facets of their business operations and come May changes will be experienced worldwide.  If you are operating a business and have European citizens as customers, you will be required to adhere to these laws when it comes to data protection. For those of us operating within Australia, the Australian Government has released advice for Australian businesses to comply with the new GDPR. 

These laws may only be the beginning of regulation around data protection and privacy, but they mark the beginning of a dramatic shift towards empowering individuals in a new data economy.

What an exciting time for us digital marketing geeks!