New EU Personal Data Protection Rules
On April 14th 2016, the EU Parliament passed the long-awaited new EU rules for personal data protection (GDPR). Everyone who holds or processes data on individuals in the 28 countries of the EU has until May 4th 2018 to comply.
The top ten provisions of the regulation are:
- It is a global law.
No matter where you are in the world, if you have data on individuals in the EU and lose it, you are responsible and can be fined. As an example, if you have a web site and a European comes on and enters their contact information, you have to conform.
- Increased fines.
Up to 4% of global turnover or €20,000,000 (US$22M)
- Opt-in regulations.
Users must be give clear consent to opt-in to their data being collected and you must only use it for the purpose defined. No opting out, no hidden terms, no selling/giving data to other people.
- Breach notification.
If you lose data, you have 72 hours to tell the authorities.
- Joint liability.
If multiple companies process the data, they are all liable if data is lost, so if you hold data YOU are responsible if data gets lost via a risky cloud service.
- Users can demand their data back, that it is updated and deleted.
If you hold data, you need to work out how to achieve those requirements.
- Removes ambiguity.
One law across all 28 countries of the EU.
- Common enforcement.
The authorities are expected to enforce consistently across all the countries, the good news is data holders only need to deal with one authority.
- Collective redress.
Users can sue together if data is lost in class action lawsuits.
- Data transfer.
Data transfer from the EU is allowed, but subject to strict conditions.
These requirements are onerous and require careful preparation and planning. Many businesses deal commercially with EU citizens and organisations. If you do, speak to CIS to start planning for these regulations now.