Many companies collect data from us, such as date of birth and residential data. Also, websites store our purchases and/or or your preferences. Those companies can store that data, share it with others, and use them for offers.
As of May 25th 2018, the rules become much stricter. From then on, the General Data Protection Regulation (GDPR) will be effective. This applies throughout the EU. If companies fail to comply, they may face penalties.
Large Impact
The new rules involve far more than 'adjusting the privacy policy on the website'. All kinds of technical measures must be taken, such as adapting IT systems and security.
Companies must, according to the new rules, accurately chart what they do with data, and citizens get more rights. For example, companies are obliged to inform individuals better and more easily and to request separate permission for using their customers data. Also, companies are required to report to the authorities within 72 hours after a data leak. Ultimately, all these measurements must lead to greater control over the huge data economy in which companies like Google, Facebook and Amazon have enormous amounts of power.
Summary of the New Rules
- The obligation to register all processing activities of personal data;
- The obligation to draft internal privacy policy;
- The execution of the Privacy Impact Assessments (PIAs) for risky processing of personal data;
- To implement the new rights of the parties concerned: the right to limit processing of personal data and the right to portability of data;
- More detailed obligations regarding data processing agreements;
- The implementation of privacy by design and privacy by default as part of the already existing obligation to data minimisation;
- An extension of the category of special personal data: genetic data and biometric data - the processing of these personal data is subject to stricter rules;
- An increased of limits of fines (EUR 20 million or - for companies - 4% of the total worldwide annual turnover in the previous financial year)
- An extension of the already mandatory data sheets for all European Member States;
- In certain cases, it is mandatory to appoint a Data Protection Officer.
A whole lot of work to implement. For big companies manageable, but how about the small companies, those with a few employees? Small retail shops, small consultancy companies. In the Netherlands we have more than 700.000 single person companies, freelancers in a total of about 6,5M citizens eligible for work.
Considerations
Though many of the EU rulings are already applicable in the Netherlands for some time, no real big negative events happened. But since we are just at the start of digital crime, the future may look differently.
I support the rulings in general, since the individuals MUST be certain their data is protected and not abused and to me it is unthinkable to have no ruling for those who store and manages 3rd party individuals data and leave all the responsibilities with the individuals to identify which parties they can trust with their data and which not.
However, these type of ruling will make it much harder for small companies to manage their risks. Also, with this type of rulings we getting further into centralised control, rather than the road to lesser centralised control and more local community type of agreements.