Welcome to our second E-zine of 2018. By the time you read this, GDPR (General Data Protection Regulation) will be well and truly in effect in the 28 countries of the EU, with far reaching implications for most companies with a presence on the Internet. We have had a number of clients enquire what GDPR will mean to consumers and businesses, so hopefully this sheds more light on the subject!
What is personal data under the GDPR?
The types of data considered personal under the existing legislation include name, address, and photos. In addition to this, even an IP address or sensitive personal data such as genetic data or biometric data that could be processed to uniquely identify an individual is included under the definition.
What does GDPR mean for businesses?
GDPR applies to all 28 countries in the European Union, but obviously extends much further than the border of Europe itself, as companies doing business “on European soil” will still need to comply with the law.
What does GDPR mean for consumers/citizens?
Owing to the huge increase in data breaches over the last number of years, it is virtually a given that most internet users may have had some of their data exposed on the internet.
One of the key benefits of GDPR is that consumers will now have the legal right to be informed if their data has been hacked. Consumers are also promised easier access to their own personal data in terms of how it is processed, and companies will have to provide detail as to how they use customer information in a clear and understandable way.
A number of companies have already been sending customers emails with information on how their data is used and providing them with an opt-out if they do not issue their consent to be a part of it. Especially in the retail and marketing sectors, organisations have contacted customers to ask if they want to be a part of their database.
GDPR will also provide consumers with the 'right to be forgotten' which provides additional rights to people who no longer want their personal data processed and to have it permanently purged or deleted.
What is a GDPR breach notification?
Organisations will by law, be afforded 72 hrs to inform the relevant authorities of any unauthorized data breach. Where applicable, the affected individuals must also be informed especially in the case where there is the risk of discrimination, damage to reputation, financial loss, loss of confidentiality, or any other economic or social disadvantage.
Interestingly enough, the individual may not be informed via a public website, press release or social media, but must be informed by the company via one-to-one correspondence!
What are the GDPR fines and penalties for non-compliance?
Should a company fail to comply with GDPR the result in a fine could range from 10 million euros to four percent of the company's annual global turnover, a figure that for some could mean billions.
In summary, companies will also need to provide a description of the potential consequences of the data breach, such as theft of money, or identity fraud. In addition to this, a full overview of the measures that are being taken to deal with the data breach and to counter any negative impacts that might be faced by individuals must be provided.
Until next time, thank you for your continued support of First Technology Cape Town!
Johan de Villiers