Next year, new data protection law will come into effect in the European Union. Here, we look at the provisions of this new law and what publishers can do to get ready for the change.
What is the GDPR?
The General Data Protection Regulation is a new EU regulation which will come into force on 25 May 2018. Because it’s a regulation rather than a directive, it will become law in all member states without any additional national legislation. So in the UK it will replace the 1998 Data Protection Act, which was passed to comply with the old EU Data Protection Directive of 1995.
Who does it affect?
The GDPR applies if the collector of the data, the processor of the data, or the subject of the data is within the EU. It also regulates the export of personal data outside the EU, stating that data should only be transferred to a country that provides EU-standard data protection. Even post-Brexit, it’s likely that the UK will enact similar data protection legislation, and of course the GDPR will still apply to any companies with business interests in the EU.
What are the main changes?
The GDPR aims to strengthen and simplify data protection law, and to bring it up to date with new technological developments (such as social media, cloud computing and big data):
- personal data is defined as anything that can be used directly or indirectly to identify an individual, including online IDs
- it must be clearly explained how data will be used and consent must be given for this use
- data must be erased if consent is withdrawn or the data is no longer relevant to the agreed use
- a person’s data must be provided to them on request in a portable format
- data protection must be designed into systems and processes from the outset
- Data Protection Officers must be appointed by companies involved in large-scale data processing
- data processing policies and procedures must be fully documented
- security breaches must be reported immediately
- penalties are much heavier than previously
How can publishers prepare?
Although details of data protection policies will vary from publisher to publisher, according to what sort of data is collected and how it is used, there are some key points to address:
- Responsibility for data protection: ensuring someone in the organization has overall responsibility for compliance with the GDPR – this may involve the appointment of a Data Protection Officer.
- Data processing: auditing how personal data is collected and processed, to assess whether any changes are required in order to comply with the GDPR.
- Consent: reviewing privacy notices and the methods for giving and recording permission to use personal data.
- Data protection impact assessments: considering which business processes are high-risk in terms of data security and what can be done to mitigate that risk.
- Documentation: documenting everything relating to data protection, including procedures for handling security breaches and for responding to requests for accessing, correcting or deleting personal data.
For a more detailed guide, see this handy checklist from the Information Commissioner’s Office.