With the ever increasing hype and discussion regarding the upcoming implementation of the GDPR, micro-businesses as well as affected professionals, have definitely wondered at how this regulation will in someway or another affect their business. But what is the GDPR?
The General Data Protection Regulation, or as it is being called in short GDPR, is an eleven-chapter regulation coming into effect, on the 25th of May 2018. The regulation, which was approved by the EU Parliament following four years of preparation and debate, intends to replace its former predecessor, the Data Protection Directive 95/46/EC.
Aim of the regulation
The aim of the regulation is to protect EU-domiciled personnel from privacy and data breaches in today’s digital world. The 1995-based regulation, which has not been updated in over two decades, underwent a thorough restructuring, with new key points being added as well as having parts of the old articles revamped to accommodate and regulate the fast changing, data-driven world in which we live nowadays.
The new regulation has nine key points on which it is structured. These include penalties, consent, four data subject rights, privacy by design, and perhaps the two most disruptive points of all, the data protection officer appointment and territory.
The regulation was redesigned to increase the territorial coverage of Data protection making this one of the biggest changes in the regulation itself. The extra-territorial applicability affects controllers and processors that in any form or another, process private and confidential data of EU-based customers, irrelevant of their established location and whether a payment is required for the rendering of the service/good, or not. This means that if a US company is rendering a service to an EU based customer, and certain private data is required for the rendering of the product or service, the US company is deemed required to operate within the GDPR regulatory framework and therefore subject to its penalties if a clause is breached, even though the processing of the regulation did not take place in the EU. Furthermore, non-EU businesses processing the data of EU citizens, are deemed to appoint a representative in the EU. In this way, the GDPR has the applicability clauses clear and not ambiguous, as its preceding directive.
In addition to this, customer-consent conditions have been strengthened. With the implementation of the GDPR, companies will no longer be eligible to use long illegible terms and conditions full of legalese. Consequently, request for consent must be given in an intelligible (readable) and an easily accessible form with a clear purpose as to why consent is needed and as to why and how data will be processed, all using clear and plain language that is easily understandable by the most adverse of customers. Furthermore, the withdraw of consent by a customer is to be as easy and facilitative as to give it.
BGMT is a multi-disciplinary firm offering accounting, taxation and advisory services to multi-tier business operating in various industries.