Today, May 25, 2018 marks the implementation of the The EU General Data Protection Regulation (GDPR). After four years of preparation and debate the GDPR was finally approved by the EU Parliament on 14 April 2016. Enforcement date: 25 May 2018 – at which time those organizations in non-compliance may face heavy fines.
At the same, I happened to see The Anti-Corruption Handbook on our Rare Business Book Section. This book written by William P. Olsen in 2010 touches then on the provisions of the Foreign Corruption Practices Act (FCPA). The book gives an overview of reducing risk through technology and intellectual property theft. Chapter 11 is all about Document Retention. It discusses The value of stored date back then when computers were becoming heavy on retaining information, backing them up and storing them. Hence, companies have then incorporated these are part of their intellectual properties.
Such intellectual properties which included personal information of website visitors and such may or may not be privileged information. With this new EU GDPR, The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. The key articles of the GDPR, as well as information on its business impact, can be found throughout the GDPR site.
A big change on this new law centers on “Consent”.
The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
Right to Access
Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift to data transparency and empowerment of data subjects.
So as an example, any website that transacts business with the EU must also post a Cookie Policy access and consent for example beginning today, May 25, 2018. With the onset of mobile technology today as well as shared information over the web, a lot of times personal information is accessible without our knowledge. With this new law, it is expected to create the formation of relevant regulations also in the United States and the rest of the global marketplace’s day to day transactions.
If your in this global marketplace doing business with the EU, you need to mae sure your in compliance as the penalties are very steep. “Penalties
Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement” quoted from EGDPR.org
Alex Esguerra's Blog 