You may have noticed a number of emails, texts and notifications mentioning the General Data Protection Regulation (GDPR) and wondered how it relates to you.
Europe is set to undergo its biggest change to data protection in almost a quarter of a century.
Websites, apps and companies that collect data on European citizens will need to comply with strict new rules around protecting customer data by May 25.
What and why is everything changing?
The General Data Protection Regulation (GDPR) is a new, EU-wide law that gives greater power to regulators to penalise companies who mishandle personal data or are not transparent about how their business uses it.
For consumers, it brings new powers that require firms to get clear consent from users before processing their data, as well as grants users a right to easily access the data collected from them and transparency on how it is being used.
Who does the GDPR affect?
The GDPR will change how businesses and public sector organisations can handle the information of their customers.
The law also states that notification of a data breach must occur within 72 hours of being first discovered, increasing transparency around such incidents.
However, it not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU citizens’ data.
The regulation also lays out special categories of data – such as political or sexual orientation – that require explicit written consent.
How does it affect me?
The legislation requires companies to make their privacy policies clearer for users – which is why you’re likely seeing a spate of emails come through from services you use asking you to take a look at their revised privacy policies.
As well putting new obligations on the companies collecting personal data, the GDPR also gives individuals a lot more power to access the information that’s held about them.
At present a Subject Access Request (SAR) allows businesses and public bodies to charge £10 to be given what’s held about them.
Under GDPR this information will be free of charge and should be sent to you within 30 days.
There are also more stringent rules in place for children under the age of 16, a move which has forced messaging platform Whatsapp to update its policies to reflect this.
Why is this being taken so seriously?
One of the reasons companies are taking such a notice of GDPR is that the fines involved for noncompliance are gigantic.
Those who break the rules can be fined up to 4% of annual global turnover for breaching GDPR or €20 million.
There is a tiered approach to fines so minor breaches and mistakes can still be fined €10 million or 2% for not having their records in order.
For tech giants such as Google, Twitter and Facebook, this could mean the risk of fines running into the hundreds of millions.
The threat of these fines seems to already be working with both Facebook and Twitter have been rolling out updates to their privacy policies, adding clearer language and description of data use, and offering more tools to users to share or remove their personal data from that platform, as it required by GDPR.
The recent Cambridge Analytica scandal has also increased public scrutiny on data use, with Facebook acknowledging it has received more questions from users recently on how it gathers and shares personal data.
What will happen to my data after Brexit?
If you process data about individuals in the context of selling goods or services to citizens in other EU countries then you will need to comply with the GDPR, irrespective as to whether or not you the UK retains the GDPR post-Brexit.
If your activities are limited to the UK, then the position (after the initial exit period) is much less clear.
The UK Government’s new data protection legislation, which will implement the vast majority of GDPR is currently working its way through debates in the House of Commons and House of Lords and is subject to amendments.
There is an expectation that the legislation will largely follow the GDPR, given the support of the regulation previously given by the UK Government.
Should people care about the changes?
It’s important to review these changes to keep using various internet services, but it is also an opportunity for users to tidy up their online data sharing.
As part of the new laws, firms must give users greater access to controls around what data they share and what they want to keep private.
Facebook for example is rolling out a tool that enables users to opt-in to facial recognition being used to scan their photos, but also the chance to switch it off.