The EU General Data Protection Regulation (GDPR) provides a single, harmonised data privacy law for the EU. The GDPR was formally approved by the European Parliament in April 2016 and will come into force on 25 May 2018. Designed to improve data security for everyone living in EU member states, this will result in some significant changes to the way that organisations manage data, together with implications for design and content principles.
Brexit or no-Brexit, you will be required to comply with the Regulation if you carry out business in the EU with EU citizens’ personal data – wherever your business is based. This includes data processing activities or the provision of products and services. In effect this makes it the first global data protection regulation. Organisations failing to comply could face potential fines of up to 4% of their annual turnover.
During the next two years organisations can respond to the requirements of the GDPR by considering the customer experience, design and content, and assessing how they can impact and benefit data management in line with the new regulation aiming to ‘design-in’ privacy-friendly settings. Considering a couple of elements of the obligations in more detail:
The GDPR requires more transparency about how your data is handled. This gives companies the opportunity to repurpose their content in clear and plain language with easily understandable information, especially for children. All policies should be easily accessible, honest and, when agreement is required, customers should be asked to give their consent by means of a clear an affirmative action and not by assumption or absence of approval.
Data protection by design, ensuring that privacy is embedded into new systems, processes and designs being deployed, is an essential element of the new rules. This ensures that GDPR requirements are considered during all phases of the digital design process, not only at the point of delivery but also from the inception and creation of any new services or products to ensure that principles of data protection are a core element of the customer experience, in effect ‘data protection by default’. Staying ahead of the game during the next two years will allow organisations to demonstrate their compliance with the new data regulation whilst, at the same time, creating a competitive advantage by developing intuitive and compliant products and services for both their EU, and international, customers.
The key changes – as outlined in the European Commission’s factsheet – include:
- Guaranteeing easy access to one’s own personal data and the freedom to transfer personal data from one service provider to another.
- Establishing the right to be forgotten to help people better manage data protection risks online.
- When individuals no longer want their data to be processed and there are no legitimate grounds for retaining it, the data will be deleted.
- Ensuring that whenever the consent of the individual is required for the processing of their personal data, it is always given by means of a clear affirmative action.
- Ensuring a single set of rules applicable across the EU.
- Clear rules on when EU law applies to data controllers outside the EU.