Since May 25, 2018, important changes will be made to the legislation on personal data protection in Europe. The new European legislation on protection of personal data — General Data Protection Regulation( GDPR ) — could generate a wave of lawsuits against companies from the European Union.
The companies risk administrative fines of up to 20 million Euros or up to four percent of total turnover. This depends on the obligations under GDPR legislation violated and the severity of the situation.
GDPR will be adopted two years after its publication
General Regulation on the Protection of Personal Data will become law May 25 this year, two years after its publication. The purpose of this delay was to allow companies to draw and implement their own compliance framework to the requirements of the new law. In other words, companies from Europe will have to resolve their GDPR compliance before the new Regulation becomes law because after May 25 they risk significant sanctions for non-compliance.
New rules for big European companies
The new European legislation on personal data protection (GDPR ) brings a number of changes for European businesses. Thus, big companies are required to delegate, under certain conditions, a data protection officer for a company or a group who will act as a local representative of the company in front of the authorities.
The job of the data protection officer will be to ensure that all processes and the operator's procedures comply with the law and to notify the competent authority within 72 hours when a violation of personal data security happens.
New rules for consent about the personal data
The consent to process personal data will have a much more restrictive regime.
Thus, the request for an agreement must be intelligible and easily accessible, using clear and simple language. If several aspects are included, the request for the agreement must be clearly differentiated from the other aspects. The withdrawal of consent must be as simple as it was given. More some practices like conditioning the delivery of a service or a product to the data processing agreement for direct marketing will no longer be allowed.
People's rights on their personal data
General Data Protection Regulation (GDPR) gives individuals the following rights: the right to be informed, the right of access to their personal information, the right to raise objections, the right to restrict data processing, and the right to delete their personal information. This is also being called "the right to be forgotten."