Although the EU General Data Protection Regulation (GDPR) is not coming into force until May 2018, organisations need to act now to understand the changes that it will bring and be prepared to comply with the new rules.
Despite Brexit, the new EU data protection rules will still apply and be relevant to UK organisations, and failing to comply could result in major financial sanctions.
Organisations that breach GDPR may also be subject to private claims for compensation by individuals.
The Compliance Briefing is an event aimed at businesses within the gaming industry to help them understand and prepare for these new requirements.
Ahead of the event, we answer some of the frequent issues that arise with GDPR.
When will the new GDPR come into force?
The rules will fully apply from 25th May 2018.
What will change under the Regulation?
Businesses will now have to answer to one data protection regulator called a ‘supervisory authority’. Companies who breach the GDPR could be fined up to 4% of annual global turnover or €20 Million (whichever figure is greater).
Conditions for consent have been tightened. Companies must ensure consent is clear and distinguishable from other matters in an easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Companies will no longer be able to use illegible terms and conditions.
Who does the GDPR affect?
It affects every business within all 28 EU Member States, though States like the UK will be faced with the legislative issue of what to do with certain existing aspects of their national data protection rules that are additional to the rules set out in the 1995 Directive.
GDPR also impacts businesses outside the EU who process the personal data of EU residents and offer them goods and services, irrespective of whether payment is required; or where the processing by a business relates to the monitoring of the behaviour of EU residents in so far as their behaviour takes place within the EU.
What are the penalties for non-compliance?
Under the new regulation, the ‘supervisory authorities’ can impose fines for those who breach the rules. There will be different levels of fines in accordance with three bands of infringements, the highest level of fine being 4% of annual global turnover or €20 Million (whichever figure is greater).
Will the fines really be enforced?
In the first instance, Member States will have individual discretion on criminal sanctions for GDPR infringements. Though it is too early to predict how different supervisory authorities (SA’s) will enforce their powers, it seems inevitable that Member States will have variable approaches. While some SA’s may be more proactive than others, their strengthened authority will likely lead to a tightening up of current enforcement practices.
Can I still market to my existing customers?
Providing they meet the new rules, existing consents should still apply. Where personal data is processed for direct marketing, the individual’s right to object should be clearly brought to their attention.
Does the GDPR apply to cold calling?
Yes! If customers haven’t opted-in to your communication, it’s a breach of GDPR.
What is the “right to be forgotten”?
This is the right of the individual to have their personal data deleted “without undue delay”, for example where data is no longer necessary for the purposes it was initially collected or processed.
What does ‘privacy by design’ mean?
Data protection must be a key consideration when designing data systems, rather than an addition. This principle also ensures that wherever consent from the individual is required for data to be processed, their consent cannot be assumed and must be given actively.
What is an opt-in statement?
No longer can consent be obtained by silence or opt-outs, instead an active process (e.g. ticking a box) must be completed to class as consent. Companies must be able to demonstrate that the individual has actually given consent for their data to be processed. The new rules outline that “Silence, pre-ticked boxes or inactivity should not therefore constitute consent”.
Does my business need to appoint a Data Protection Officer (DPO)?
Possibly, yes. A DPO should be appointed if the core activities of the data controller consist of:
– Processing operations which require large-scale, regular and systematic monitoring of data subjects
– Large-scale processing of special categories of personal data: those revealing racial/ethnic origin; political opinions; religious or philosophical beliefs; trade-union membership, and the processing of genetic and biometric data in order to uniquely identify an individual; data concerning health or sex life and sexual orientation (this can only be processed under strict conditions such as where consent has been given), or data relating to criminal convictions or offences.