Changes In EU Data Law: The GDPR Requirements And How To Meet Them 04/01/2018 by Guest contributor for Intellectual Property Watch 1 Comment Share this Story:Click to share on Twitter (Opens in new window)Click to share on LinkedIn (Opens in new window)Click to share on Google+ (Opens in new window)Click to share on Facebook (Opens in new window)Click to email this to a friend (Opens in new window)Click to print (Opens in new window) IP-Watch is a non-profit independent news service and depends on subscriptions. To access all of our content, please subscribe here. You may also offer additional support with your subscription, or donate. The views expressed in this article are solely those of the authors and are not associated with Intellectual Property Watch. IP-Watch expressly disclaims and refuses any responsibility or liability for the content, style or form of any posts made to this forum, which remain solely the responsibility of their authors. Introduction to the GDPR By Linkilaw Statistics show 69% of SME owners have heard about the General Data Protection Regulation (GDPR) and 70% admitted to being unaware it will come into effect from 25th May 2018. It is important for small business owners to understand what the GDPR is as well as its application. The GDPR is the outcome of four years of constant discussions, investigations, and amendments made by the EU to update its data privacy rules and regulations.The GDPR will replace the Data Protection Directive established in 1995, creating a greater territorial scope and stricter penalties for those states members, and business dealing with Personal Data, who fail to keep and handle data according to the new regulation. The GDPR was finally approved by the EU Parliament on 14 April 2016 but will apply from 25 May 2018, giving a two-year transition period for all EU members states. This is a call for all SME’s: you need to prepare now! Why does the EU need a new regulation while there is one? The new data regulation provides all the EU citizens with data privacy in a nowadays data-driven society. The new reality of data collection and processing is separated from the context which the 1995 Directive was first born. From the customers’ and employees’ perspective, the EU aims to provide all its citizens with more control over how their personal data is collected, processed and retained. The GDPR outlines a much broader range of rights than the ones provided under the Directive. In fact, under the GDPR, data subjects have right to: Know what data is being collected and for what purpose Ask copies of all the data about them at anytime. Ask to correct the data in case it’s incorrect; the data should be corrected ASAP as an obligation. Ask to erase the data at anytime. Restrict processing; ask to stop using their data for certain reasons, such as direct marketing. Data portability; data has to be structured, commonly used and machine-readable format. Object to certain data sets being processed. Not to be subject to automated processing. From the business owner’s point of view, the EU’s GDPR intends to create a unique business environment with: One EU market operating under one law Same rules for the companies within the EU, or for companies who process EU nationals data Single supervisory time Other Important GDPR changes and how to meet them Fines have increased From May 2018 onwards, organisations found in breach of the Regulation can be fined up to 20 million euros or 4 % of global annual turnover – whichever is the greatest. This fine might be issued only in case of serious misconduct such as failure to comply with the Data Subject’s Data Portability requirement. What to do: It is important to understand that the subject of rights has been always one of the main focuses of the EU Parliament. So it is not a secret the EU is likely to do its best to provide its citizens with secured data privacy. In this case, if you act a controller and do not want to get fined, it is vital to deal with all the Data Subjects’ requests. You must, within one month of receiving a request made provide any requested information in relation to any of the rights of data subjects, free of charge. But wait, it is not as unfair as you think. The controller may charge a reasonable fee for “repetitive requests”, “manifestly unfounded or excessive requests” or “further copies”. It is worth mentioning that under the GDPR data controllers can be fined for any other reasons as well such as 2% or 10 million ( whichever is greatest ) for not having their records in order. Make sure you are on the right track! 2. Increased territorial scope Forget the phrase ‘in context of establishment’. After an enormous number of cases of misunderstanding regarding the scope of data protection law, the EU’s GDPR brought an end to that. Since May 25, 2018, the EU GDPR extends the scope of the EU data protection law to all foreign companies processing data of EU residents. Non-compliance laws will also apply to them if they are dealing with the data of EU members. What to do: Whether you are EU based or non-EU based business operating within its borders, you must comply with the GDPR. Data controllers or processors not found in the EU but processing personal data of data subjects from the EU are obligated to comply with the GDPR if their activities include: Offering goods or services to EU citizens Monitoring the behaviour that takes place within the EU 3. Breach notification You probably know that in the majority of the EU countries there are almost no legal obligations for businesses to report data breaches. However, the EU’s GDPR makes breach notification compulsory in all member states. Then make sure you follow the ‘What to do’ advice. What to do: Data controllers must report personal data breaches to local data administrator no later than 72 hours, but this could as little as 24 hours in the most serious circumstances. Data processor must notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach. In case a notification is not made within 72 hours of the data breach, the data controller must give a ‘reasoned justification’ explaining the reason for the delay (i.e. national security). The controller shall keep a record of any personal data breaches, including all the facts relating to the personal data breach. Conclusion The purpose of the GDPR is to provide protection and portability of all EU citizens’ private information.This article outlines the main changes in the EU data laws and how you as a business should approach them. But there is only one main suggestion that applies to each one of you: The sooner you start preparing to comply with the regulation, the greater the likelihood your business will operate smoothly during this transition and not be fined. This article has been authored by Victoria Tselkyh, Content Writer at Linkilaw – The Legal Platform for Startups. Linkilaw is a free online marketplace where clients can compare and make the best choice from an all-star virtual lawyer community. Image Credits: Linkilaw Share this Story:Click to share on Twitter (Opens in new window)Click to share on LinkedIn (Opens in new window)Click to share on Google+ (Opens in new window)Click to share on Facebook (Opens in new window)Click to email this to a friend (Opens in new window)Click to print (Opens in new window) Related Guest contributor may be reached at email@example.com."Changes In EU Data Law: The GDPR Requirements And How To Meet Them" by Intellectual Property Watch is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.