The EU was needing a new law regarding data protection in order to replace the EU directive which dates from 1995, when the internet was still in its infancy.
So finally last week, after more than four years of negotiation, the European Union’s General Data Protection Regulation (GDPR) was passed in Strasbourg. This new law adapts the principles of the older one, in order to protect consumers and improve law for businesses in a digitised world of smart phones, social media, internet banking and global transfers.
The new regulation will be published in the upcoming days in the Official Journal of the European Union, and will enter into force 20 days after publication. Nevertheless, its provisions will not be directly applicable in Member States until two years have elapsed after its entry into force.
Basically, the new legislation on data protection is aimed at giving people more control over their personal information. Amongst other issues, the regulation passed in Brussels recognizes citizens’ right to be “forgotten” online.
More importantly, at least as far as businesses are concerned, data protection errors will be far more expensive than before; ie companies could face huge fines for breaching the new law. Companies that do not comply with the strict new requirement will face fines of up to 4 per cent of their global revenue for the previous year, or €20 million (£15.8m) depending on which is greater. In this new scenario, companies will now have to take the issue of data protection much more seriously while the rights of individuals will be improved in the new digital age.
Taking into account that the new law determines that companies have two years to get their handling of personal data into order or they face the possibility of punitive fines, it is expected that businesses will appoint a special data protection officer if they are handling significant amount of sensitive data or monitoring the behaviour of many consumers. Under the new legislation firms must keep track of personal data in auditable ways and provide breach notification within 72 hours.