Important changes are coming that will affect all entities that process personal data. On May 25 of this year, the General Data Protection Regulation (GDPR) comes into force. It is a new set of regulations that will apply throughout the European Union and applies to all industries and activities. The new rules are largely general in nature. For example, they do not set specific requirements for the data security technology to be used in satisfying its requirements. The choice of the tools used to protect personal data is left in the hands of the entrepreneur (administrator). These methods should be adapted to the specifics of the activity in questions and analyzed in advance regarding the risks associated with data processing.
The new law is not retroactive, therefore data previously collected in a legal manner will remain valid and will not require renewed consent for processing.
Changes in the law affect the collection of new information. The administrator's duty will be to provide accurate information regarding the purpose of the data processing. Many companies now collect a lot of information on their websites, even if it is not needed for the stated purpose. Apart from the fact that too many (four or more) fields to fill in effectively discourages users from completing the form, this is irrational from the point of view of the recipient. Why does someone who wants to subscribe to the newsletter have to give their phone number or postal code? After the entry into force of GDPR, it will still be possible to collect detailed information, but only if the administrator can justify the need for the data. For example, he will be able to collect postcodes when he conducts his sales activities all over the country and wants to send offers in line with the assortment of the stationary store closest to the recipient's place of residence.
The new regulations also impact another aspect of collecting data. Many companies offer an ebook or PDF with interesting content in an attempt to engage potential customers. To download it, users only have to enter their email address. Most of them understand that this is for the purposes of having the file sent to their inboxes. At the same time, in the opinion of marketers, sharing an email address is associated with the consent to send a newsletter or commercial offers. GDPR clarifies this situation by specifying that from now on, consents will have to be expressed voluntarily, consciously while clearly indicating what the user agrees to. Therefore, GDPR will require, for example, a separate consent for sending commercial offers and another for subscribing to a newsletter. It is also important that the content of the consent is given in the future in a simple and understandable way. This can be done while still having creative freedom over the way it is presented. The only important thing is that everyone clearly understands what they are agreeing to.
An entity asking for personal data will be required to inform users about the purpose, scope and time of their processing as well as the rights of recipients. In particular, the data controller will be obligated to give this information:
- its contact information
- data protection officer contact information
- the purpose of processing the data
- the legal basis for processing the data
- the intention of sharing the data with other entities if such an intention exists
- the time period for which the data will be processed
- the user’s right to:
- review the data
- make changes to the data or delete it from the database
- withdraw consent for the processing of the data
- move the data elsewhere
- file claims
One of the most important obligations introduced by GDPR will be the necessity of having a document that defines all the purposes for which data is processed, how the data’s security is ensured and also provides information on persons who are their administrators and have access to the data. Importantly, this document will not have an standardized form, so it can be presented in different ways.
When processing personal data, it will be necessary to pay special attention to new rights for users. Upon their request, the company will have to delete their data (the right to be forgotten) or change (the so-called right to rectification - the recipients can change previously supplied data or extend or reduce the scope of consents they previously expressed). This applies to all documents on which data has been duplicated, as well as the printouts of these documents.
Another new requirement will be the obligation to report a personal data breach. The consequence of such a written law will be that the administrator will not only have to report, for example, a hacker attack on the database, but any irregularities that he himself has committed. Simply put, he will be obliged to report violations within 72 hours of detecting anomalies.
Following the rules
GDPR, in addition to the regulations described above, introduces very severe sanctions for failure to adhere to its provisions. The regulations provide for a maximum penalty of up to EUR 20 million or 4% of a company's annual turnover.