To celebrate both the new secretariat as well as welcoming you all back from holidays our discussion will centre around the very recent implementations of the EU's GDPR.
As of the twenty-fifth of May this year, the Data Protection Act of 1998 will be replaced with the General Data Protection Regulation, or GDPR. This piece of policy was proposed in the EU in early 2014, and has finally come to fruition this month. The GDPR has six key pillars: privacy, accuracy, access, consent, security and responsibility.
In lieu of recent data breeches like Cambridge Analytical and Equifax, the mainstream media has been active with discussion on data protection. This recent legislation has provided individuals with an opportunity to access all data an organization has on them- and request deletion of said data. Additionally, the GDPR states that secondary uses of collected data must be compatible with its primary use; for example, a business cannot sell data collected for marketing or profit. Many regard the intent of this regulation to change the data-protection industry finally in favor of the consumer, rather than the ‘big-wigs’ in charge of the organizations. Consumers will not experience significant difference, other than how organizations interact with them- privacy notices will become more transparent, consumer rights will be more publicized, and data breeches will be released to a more informed public. The standardization of data protection law provides more information and access to citizens and visitors in the EU.
However, many delegates of the EU have been hesitant to issue in the legislation on the grounds of the punishments included in the policy. The General Data Protection Regulation requires businesses globally to transform almost all of their current privacy policies, even of organizations who are not based in the EU, like America. While the law takes great strides to protect citizens, those who violate the many clauses might find themselves in trouble. For example, if an organization is found to be in violation of the right of erasure, cross-border transfers to Non-EU countries, or failing to notify consumers of a data breach within 72 hours, the organization faces many possible consequences. The GDPR currently states that should a business be found ignoring the law, they will be fined up to 20-million Euros, or 4% of their global annual turnover, whichever is higher.
While a set of laws is important when enforcing any legislation, the preparation to accommodate the GDPR is very tenuous. All organizations must show clear and present evidence that they are preventing data breeches, and to illustrate improvement. However, recent study discovered that many of the top firms struggle to account for current spending data on Data protection, and many will need to invest millions of Euros into the GDPR. As of 2016, 62% of all German business respondents feel as though their business will face extravagant fines. However, the costs might be worth it- the 16% data breeches are caused by human error, which accounts for roughly 3.52 mill.