The data privacy and data protection regulatory regime is experiencing unparalleled change.
The digital revolution and technology advancements in recent years have led to new digital markets for large volumes of privileged data. This collation and trade in data crosses borders and jurisdictions. Regulation is now catching up with this technological change and GDPR is the legal response – a common regulatory regime, applied globally.
In 2015, the Safe Harbour framework between the US and EU was ruled invalid after a court case. The Privacy Shield framework replaced it while complex negotiations between the European Parliament, Council and Commission to create a more robust replacement began. The new regulation, the General Data Protection Regulation (GDPR), was approved in April 2016.
GDPR comes into force on 25th May 2018 and is widely recognised as the most important change in data privacy regulation in two decades.
Its wide reach and stringent obligations are making GDPR regulatory compliance a significant undertaking for businesses around the world.
The regulation aims to provide a level playing field in terms of data protection, both within and outside the EU, and support economic growth in the digital era, while also focusing on protecting the individual and individuals’ rights. GDPR allows organisations to operate with confidence, complying with reasonable, clear obligations, whilst continuing to develop and promote new and innovative services.
Through the adoption of the EU GDPR, privacy and data protection becomes a global concern. The regulation applies not only to EU-based organisations but to any organisation that:
- has operations within the EU and stores EU citizens’ data
- offers products or services to EU citizens
- has third parties which store or process EU citizens’ data
- conducts monitoring activities in the EU including the processing of personal data.
A more robust approach to data management:
The Regulation reinforces some of the existing obligations under the UK’s Data Protection Act 1998. It also requires organisations to adopt a more robust approach to the management of personal data:
- Increased sanctions with maximum fines of up to €20 million or up to 4% of the global turnover
- Stricter obligations for data processors and data controllers alike promoting a shared responsibility and liability model
- Obligation to appoint a Data Protection Officer for organisations that are a public authority, who do large scale monitoring or carry out large scale processing of special categories of data
- New or reinforced data subject rights including rights to be forgotten and for erasure, data portability, access, rectification, restriction and objection to automated processing and profiling
- Introduction of a new consent model whereby explicit consent is mandated for special data categories, and purposeful limitation and data minimisation of personal data is required
- Stricter guidelines on breach notifications whereby supervisory authorities must be notified within 72 hours of learning of a data breach and impacted individuals must be notified “without undue delay”.
Privacy and data protection concerns are escalating to board level, as organisations are gearing up for the fast approaching enforcement date.
Find out how BAE Systems can help - Explore our GDPR Services
Alternatively, you can learn more about your GDPR obligations and how your organisation could address them by exploring our GDPR Webinar series below: