GDPR-Data protection bill
GDPR | Seers BlogFebruary 10, 2017 |GDPR
The GDPR and EU data protection bill is an acronym for the general data protection regulation, and it is new legislation coming out of the European Union which doesn’t take effect till May 25th, 2018.
GDPR and EU Data Protection Bill
Companies need that much time to get ready for this massive new legislation. Although the law is focused substantially on how you protect an individual’s data, it is a brilliant piece of legislation that is much broader or higher than data protection and privacy. It gives legislative guidance to organisations on how to manage and govern the data that they collect. More like good data hygiene, knowing what you collect, how you use it and doing the right things with it.
After a four almost five-year political, legislative process throughout the EU, the output result is this legislation, and it is an overhaul of the EU’s ageing data protection laws, most of it is country specific. The Data protection bill; DPB is the UK’s answer to the GDPR, evolving the countries existing data protection laws for the 21st century with the aim of ensuring uninterrupted data between the UK and EU after Brexit.
The current EU data protection bill and GDPR are not considering up-dated technologies. Those technologies include the internet of things, cookieless tracking, mobile and big data/ analytics. The aim is simply to put personal data back into control of the individuals. The second purpose is to give certainty to companies that need to comply with the data protection laws within the EU, so they only need to comply with one set of privacy rules.
The GDPR reinforces the European notion that privacy is a fundamental human right, and it creates a new right for individuals. Let’s talk about how it impacts companies, first of all, the brilliance of this law is that it extends far beyond the EU’s borders, if a company offers its services to an EU resident, the law applies. The second thing is, the risks of non-compliance with the law are high, enforcement are robust and huge fines, penalties for non-compliance.
Depending on the transgression fines can be as high as 4% of the company’s gross revenue or up to €20 million, whichever is higher. There are also lower level fines for non-compliance, 2% of the company’s gross revenue or up to €10 million but either way those are huge numbers.
There are also new individual rights that are classified under the GDPR; an individual has the “right to access his/her data”, as well as to get that data corrected. Personal data can include name, address, phone, list/location of connected devices, buying interests and patterns etc. Also is the right to erasure (right to be forgotten), interestingly another aspect of the GDPR is; many companies track and do analytics on their websites, apps, digital properties. Tracking in the sense that they follow you around the web to learn about your browsing habits and activities—they derive a lot of revenue from this. The law recognises that this is an important revenue stream for many organisations, it doesn’t prohibit that activity, but it says companies that profile people must get every individual consent—and give them the ability to opt out.
Main similarities and differences between GDPR and UK Data Protection Bill
GDPR and DPB, they both differentiate amongst data controllers and processors, the way current data protection laws do. According to clause 30(1) (a) of the DPB, a controller “determines the purpose and means of the processing of personal data”, while clause 303 states a processor is “any person, who processes personal data on behalf of the controller (other than a person who is an employee of the controller)”.
The DPB also further regulates the relationship between the controller and the processor by speculating the expectation and regulation of both parties.
There are several differences between the GDPR and DPB, mostly due to the optional powers that are present in the GDPR. This is to allow nations to adopt legislation to meet their cultural background. The minister responsible for GDPR implementation, on last January, said that the UK is using maximum flexibility to reduce the impact of GDPR on data controllers.
One of the core differences between the current draft of the DPB and the GDPR is that the requirement to appoint a representative for controllers that operate within the EU but are based outside the borders has been removed from the current version of the DPB. There is a provision in the GDPR, and other 27 member states are incorporating it, says Mathew rice of the open rights group.
The GDPR was intended to harmonise Europe’s data protection laws. However, the flexibility within it has naturally created variations of how the GDPR is implemented in each of the member states.