Published on the 29/05/2018 | Written by Paul Matthews
GDPR went live on 25 May - but how does it affects you?...
So what’s all the fuss about? It’s actually a really significant change to the rules around personal data, and it really does affect you.
Here’s a quick summary:
- The EU says the changes attempt to “harmonize data privacy laws across Europe, protect and empower all EU citizens data privacy and reshape the way organisations across the region approach data privacy.”
- One of the more controversial impacts of the new rules, and the reason it has such a world-wide impact, is what they call the “extra-territorial applicability“. This means that it applies to all companies worldwide who are dealing with information about people residing in the EU, even those simply offering goods or services to EU citizens. It hits everyone and it’s huge.
- One of the key changes is around consent. Basically if a company is going to store or process personal data such as names, email addresses and the like, it needs to have explicit consent. The small print in the middle of a 10-page “terms and conditions” aren’t enough – it has to be in complete plain English.
- The method of consent has to be recorded as well and proper records kept. This is significant – for example, if you have a mailing list you need to be able to show when people opted in and how.
- The fines are huge too. Companies can be fined up to 4 percent of their annual global turnover for breaches, with big fines for even seemingly minor issues.
- Companies must now also tell people if they’ve had a breach. We’ve seen a heap of this lately – people’s information being stolen and companies keeping it quiet to try to avoid reputation damage. Do that now and it could cost 2 percent of global revenue.
- Other changes are familiar to kiwis, such as the right to obtain (free of charge) any information that is being held about them. That’s been a part of NZ’s Privacy Act for a long time, although the EU law goes further.
- There’s heaps more as well, such as the controversial “right to be forgotten” This basically gives EU citizens the right to have Google, for example, remove references to them on searches. And again, the rules apply globally – not just to EU companies.
- The new rules also put into law the concept of “Privacy by design” for software developers. Basically software developers have to show they’ve built privacy into software from the ground up, not just tagged it on in the end. This has been a long time coming.
So some really important things to think about from a IT Professional perspective as well, even if you’re not based in the EU.
Paul Matthews is chief executive of the Institute of IT