The European Parliament has voted on the biggest shake-up of data protection laws for 20 years, promising bigger fines for companies that fail to look after consumer’s data.
The European Union’s General Data Protection Regulation (GDPR) passed on April 14 in Strasbourg after more than four years of negotiations.
Key new laws:
The rules will come into force in the summer. Then, member states will have two years to comply.
The data protection regulation’s stated aim is to give citizens back control of their personal data as well as simplifying the regulatory environment.
It could mean huge fines for companies that breach the law and offer some complex problems about how they store, delete and return data to citizens.
The regulation is to replace the EU data protection directive which dates from 1995, when the internet was still in its infancy.
It intends to protect consumers and improve law for businesses in a digitised word of smart phones, social media, internet banking and global transfers.
Under the new law, companies will now have to take the issue of data protection much more seriously while the rights of individuals will be improved in the new digital age.
Data protection errors will be far more expensive than before. Companies that do not comply with the strict new requirement will face fines of up to 4 per cent of their global revenue for the previous year, or €20 million (£15.8m) depending on which is greater.
In the UK, the maximum current penalty stands at about £500,000.
Businesses will have to appoint a special data protection officer if they are handling significant amount of sensitive data or monitoring the behaviour of many consumers. Under the new legislation firms must keep track of personal data in auditable ways and provide breach notification within 72 hours.
The new rules will essentially give individuals greater control over their personal data.
Among other things, consumers will have the right to be forgotten. This means that when an individual will no longer want his data to be processed, provided there are no legitimate reasons for retaining it, he can ask his company to erase it.
This extends to internet companies storing data, so someone could now technically ask Facebook to erase its profile along with all the data that it has gathered while they were using it.
It is unlikely to extend to news articles that people want removed, which are likely to be protected under freedom of expression rules.
Similarly, there is provision in the new regulation for consumers to transfer their data from one service to another.
This could be a massive boon for consumers – allowing them to swap internet or email provider more easily and to shop around for services such as utilities and insurance.
The new laws will bring into question how companies would actually give data back, in what format and, more crucially, what data the user is considered to have provided.
Fraser Kyne, regional SE director at Bromium, commented on the new laws: “This legislation will make it harder for businesses to keep their heads in the sand – and it will force the issue of cyber security even further up the food chain. It’s time to stop admiring the problem and to start doing something about it. There will be a huge shakedown in the IT security industry over the coming months, and only those who offer true and sustainable value will survive; because businesses will rely on the security industry to actually tackle the disease, not just deal with the symptoms.”