The General Data Protection Regulation (GDPR) will take effect at May 2018 and is Europe’s hottest topic right now when it comes to cybersecurity. Basically, it’s the European Parliament’s form of regulation, which intends to improve and unify all legislation about data throughout European Union (EU).
Why does it matter? Despite being an EU regulation, its rules far transcends the boundaries of EU and will ultimately affect the world’s service providers and consumers.
GDPR is a set of rules that will allow individuals to have more control over their personal data used by any kind of service provider.
Data has been evolving like crazy throughout the years and it appears that the regulations in place have failed to catch up. In EU’s context, the data legislation they currently have in place, known as the Data Protection Directive, dates back since 1995. To put it into perspective, this is the time when DVD was the latest innovation along with old school video game consoles. No social networks, no online banks, and no online shopping. The internet and the whole data economy was a very different place.
GDPR reforms these regulations with the hopes of catching up with today’s developments in data; empowering them by broadening its reach under a set of basic rules. Below is an overview of the biggest changes under GDPR:
Increased territorial scope
- You have an establishment in the EU
- Offer goods and services to EU residents
- Monitor the behavior of EU residents
Previously, the legislations were ambiguous in terms of identifying territorial applicability often relying solely in the context of an existing establishment. This became a problem when data started jumping in value and cloud platforms and services were increasingly becoming the norm in terms of storing and facilitating data.
Under the new GDPR, the legislation will still apply as long as a service affects an EU resident even without the presence of a physical establishment. GDPR makes it clear: it will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in EU or not.
The grounds of consideration for consent have also broadened. The conditions for consent have been strengthened and companies will no longer be able to use long and illegible terms and conditions full of legalese. The request for consent must be given in intelligible and easily accessible form with the purpose for data processing attached to that consent.
This means that long terms and conditions issued by many service providers across industries will now have to tailor the whole process of asking and giving consent for convenience of the users. Consent must be clear and distinguishable from unrelated matters and should use clear and plain language. Both withdrawing and giving consent should be easy to the user.
In relation to the scaled up systems for consent, the GDPR also revamped its penalties. Organizations in breach of the regulation can be fined up to 4% of their annual global turnover or 20 million euros (whichever is greater). This is the maximum fine that can be applied for the most serious offenses. There are still some levels depending on the scale of infringement but what’s more important to keep in mind is that these rules apply to both controllers and processors – meaning that clouds will not be exempted from the GDPR enforcement.
This is a big change as this extends beyond the borders of EU and will possibly spark a movement in the data industry.
The GDPR is another manifestation of the importance of data and the whole industry that supports it. Experts in Tech One Global are now also speculating that this is just the start of industry adjustments not just for EU but for the whole world.
Microsoft and Tech One Global are now also preparing for the big changes for the upcoming May 2018 where the GDPR will finally take place. Microsoft has extensive expertise in protecting data, championing privacy, and complying with complex regulations such as the EU-US Privacy Shield and EU Model Clauses. You can be rest assured that the latest developments in our latest solutions like Office 365 and platforms like Azure are all geared up for GDPR and future regulations that might still surface.
In the next article, we will tackle how it specifically affects the controllers and processors. Stay tuned to arm yourself with the most relevant knowledge about GDPR, cybersecurity, and digital transformation.