On May 25, 2018, the General Data Protection Regulation (GDPR) of the European Union will come into effect, making it the strictest data privacy law in the world.

Undoubtedly the most significant legal development in data protection in the last few decades, the GDPR will affect all businesses that process the data of EU citizens, regardless of whether a company is in the EU.
The GDPR aims to give individuals more control over their personal data and impose stricter rules on businesses when it comes to data processing. The GDPR covers “personal data” which is defined as “information relating to an identifiable person who can be directly or indirectly identified in particular by a reference to an identifier.” This includes a person’s “name, photo, email address, bank details, posts on social media, medical information or computer IP address. ” The GDPR applies to both automated and manual filing systems where personal data are accessible. Currently, there is no other law with the same breadth and scope.

As the historic day for data protection fast approaches, let us briefly explore how the GDPR will affect both users and businesses.

Impact on Individuals:
The GDPR provides a regime that greatly favors the individual user by giving them more rights in relation to their personal data. All users will understand what their data is being used for and they will also be in a better position to decide how their data can be used.

Consent: Obtaining an individual’s consent in a clear and understandable way is a big part of the GDPR. All those long and unintelligible Privacy Policies and Terms of Service? The GDPR aims to scrap them in favor of simpler and more accessible texts. Companies will need to update their Terms of Service to get rid of all the legalese and have everything in plain language so that users can actually understand what they are agreeing to. Individuals will finally know exactly what their data is being used for and can no longer be tricked by any complex and obscure legal terms. Impact on Individuals Indication of consent should be unambiguous and involve a clear affirmative action, an opt-in. Equally important, it should be as easy to withdraw consent as to give it.

Rights:
The level of the users’ access and control of their personal data is more explicitly expanded in the eight rights laid down in the GDPR which consist of the following:

1. The right to be informed

2. The right to access

3. The right to rectification

4. The right to erasure

5. The right to restrict processing

6. The right to data portability

7. The right to object

8. Rights in relation to automated decision making and profiling

The rights enumerated above basically ensure that the user is fully made fully aware of how his or her data is being processed (informed, access). Users are also allowed to edit any personal data they believe is erroneous (rectification) or they may limit or object to how the data is being processed.

The right to erasure is also known as the right to be forgotten which entitles the user “to have the data controller erase his or her personal data, cease further dissemination of the data, and potentially have third parties halt the processing of this data.” So, a user may withdraw his or her consent and his data should be deleted permanently.
GDPR has also introduced the concept of data portability which is the right of a user to receive his or her personal data and to transmit this data to another controller.

Impact on Businesses:
All businesses which have access to the data of EU citizens must carefully examine how they process this data and how they can prevent any misuse of it. Companies will be subject to higher standards of accountability and they will have to become more transparent about how they use their customers’ data. Non-compliance with the GDPR will be costly, time-consuming, and significantly detrimental to a company’s reputation. Accountability Organizations will be subject to higher standards of accountability and will have to implement technical and organizational measures to demonstrate compliance. These include training staff, conducting internal audits, maintaining relevant documentation, conducting data protection impact assessments, and employing security techniques like pseudonymization and encryption. A Data Protection Officer (DPO) must be assigned as the single point of contact responsible for the implementation of data protection across the organization.

Privacy by design:
Though the concept of Privacy by Design has existed for some time, it has become a legal requirement of the GDPR. The idea is that data protection measures should be baked into all business operations and processes from the very beginning and not as additional features. Furthermore, Article 23 calls for data minimization which means controllers keep and process only the data absolutely necessary for the completion of their duties. Access to personal data is also limited only to those who need this for processing.

Penalties:
Companies need to take GDPR seriously because if they are in breach of it, they can be fined up to 4% of their annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements because there is a tiered approach to fines. All rules apply to both controllers and processors, so “clouds” also fall within the scope of the GDPR.

Compliance with the GDPR will not only benefit individual users but companies as well because enhanced data protection can enable more extensive data analytics and increase quality and governance. A company’s reputation will also improve as knowing that their personal data is adequately protected will boost trust among customers, employees, and partners.

Advantages:
Compliance with the GDPR will not only benefit individual users but companies as well because enhanced data protection can enable more extensive data analytics and increase quality and governance. A company’s reputation will also improve as knowing that their personal data is adequately protected will boost trust among customers, employees, and partners.

Personal data is a vital asset of the global economy and with the GDPR coming into effect this May, users may have more confidence that their information will be subject to a comprehensive and strengthened legal regime. Data protection is serious business and the GDPR will ensure that this will be given utmost priority.


LiveWell is a collaborative intranet software that allows businesses to communicate their culture, digitize the corporate well-being experience, and integrate HR initiatives.A winner of the 2017 Digital Solution of the Year Award by the French Chamber of Commerce, the LiveWell platform enables organizations to drive communication, improve participation, and measure results or data-driven decisions.