By Andria Kades
A new EU regulation, the reason members of the public have been receiving a slew of emails and text messages recently, comes into effect on Friday.
It has been billed as the biggest shake-up of data privacy laws since the birth of the web.
The pan-EU law aims to give EU citizens more rights to control over their online information. It has a list of technically demanding requirements, and threatens fines of up to 4 percent of a company’s annual revenue for serious infringements.
The law covers companies that collect large amounts of customer data including Facebook and Google. It won’t be overseen by a single authority but instead by a patchwork of national and regional watchdogs across the 28-nation bloc.
The General Data Protection Regulation (GDPR) aims to provide a set of standardised data protection laws across all EU member countries, set to establish data privacy and make it easier for citizens in the EU to understand how their data is being used, and gives them the means to file complaints.
The key word affecting most businesses and consumers is ‘consent’ whereby companies must now prove they have consent from people to send them anything.
This explains a host of messages and emails sent out ahead of the deadline on May 25 from companies asking for consent to continue staying in touch.
If this is violated, members of the public can file a complaint to the personal data protection commissioner who can impose a fine of up to four per cent of the company’s global revenue or €20m, whichever is higher.
The steep fines have caused companies to rush to make the deadline.
The regulation also allows members of the public to request companies for all information they have on them, to which they have the right to request it corrected or removed.
If a data breach takes place, the organisation – whether public or private – must inform the people who may have been affected as well as the personal data protection commissioner’s office within 72 hours.
Additionally, organisations which deal with large amounts of data are also required to hire a data protection officer.
The conditions for hiring a professional – which must have expert knowledge in the field are if the or organisation is a public authority, if it engages in large-scale systematic monitoring and / or if it engages in large-scale processing of sensitive personal data.
The regulation does not outline a specific definition for the term “large scale” however the general consensus is that organisations with over 250 employees or that process the personal data of more than 5,000 data subjects in a 12-month period, will be required to have a DPO.
Read a full story in this week’s Sunday Mail of how the GDPR is being implemented and affecting Cyprus.