Companies must assess the potential impact of the EU’s General Data Protection Legislation in four key areas before it comes into force in May 2018.
The GDPR strengthens data protection regulations for all individuals within the EU and aims to give control of personal data back to consumers.
While there are currently data protection laws in place, the new legislation increases the level of compliance needed by companies and also introduces tougher penalties for data breaches and service failures.
Ashley Winton, partner at McDermott, Will & Emery, guided delegates at the International Auto Finance Network conference through the four main areas of change.
The areas outlined by Winton cover:
- The expanded scope of the new legislation when it comes to personal data.
- Changes to the way companies can engage with individuals.
- Changes to company operations when handling data.
- The enhanced risk of sanctions and litigation.
A condensed version of his presentation is available in this video, courtesy of automotive, consumer and equipment finance software business White Clarke Group.
Winton said the new rules identify personal data as “any information relating to an individual, whether it relates to private, professional or public life”.
It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.
Furthermore, when engaging with consumers, companies will have to provide much more detail about how data will be used in any opt-in forms, which will have to be in the language of the user.
Winton advised that companies should have a detailed audit trail to prove which consents were shown to consumers and when.
This audit trail could be essential, along with water-tight agreements with suppliers, in protecting a company in the event of any legal claims. These claims are much more likely to come from private lawsuits than EU authorities, Winton warned.
He said: “In the small print of the GDPR it’s now possible for not-for-profits to be set up to represent that customer and all the other customers that were affected [by a breach].
“So, this is a very serious risk. It’s not the regulators coming to get you, it’s lawyers and ambulance-chasers coming to get you. And it means the contract between you and the supplier is now critical in mitigating that risk.”