O novo Regulamento Geral de Protecção de Dados (PIBR) aprovada pela UE em Dezembro 2015, entrará em vigor para cada Estado-Membro em 25 de maio 2018, mas com o Reino Unido definida para deixar a União Europeia em março 2019 há complicações quando se trata de implementar a legislação da UE.
O que eu preciso saber?
O governo do Reino Unido confirmou que vai implementar PIBR maio 2018 como ele vai ser um Estado membro da UE no momento da introdução dos regulamentos. Esta afirmação veio do Secretário de Estado da Cultura, Mídia e Esporte, Karen Bradley, e, finalmente, resulta em organizações no Reino Unido que precisam estar em conformidade PIBR por 25 mai 2018.
PIBR é a primeira grande revisão legislativa de lei de Protecção de Dados Europeia desde a elaboração da directiva relativa à protecção de dados (DPD) no 1995. GDPR is an extension and expansion of DPD that attempts to privilege the individual’s right to have control over their own data.
It will be the first of its kind; a global data protection regulation. Data protection is growing in global importance as online interaction becomes the primary way of carrying out business. The world of data processing has changed substantially since the 1990s and the introduction of GDPR is a welcome development for individuals concerned about their right to access their personal information.
What does this mean for the UK?
While there has been uncertainty among UK business as to whether it would be worth investing in preparations for GDPR compliance given the lack of clarity surrounding Brexit, it is now clear that the United Kingdom is legally bound to implement GDPR because of its member status being unchanged in May 2018. Tanto quanto este, regardless of the UK leaving the EU, if any UK business wants to interact with the data of EU citizens in future, they will have to comply with GDPR; it is not only binding for member states. Artigo 3 in the new regulations discusses which companies could qualify as culpable: “all the processing activities related to the offering of goods or services to data subject of the EU” and all “the monitoring of EU data subject behaviour taking place in the EU”.
One of the most important things to understand about GDPR is that if your business processes or manages any information that pertains to an individual in the EU, you are bound under the new regulations. If your company operates in the UK you will need to adhere to the new regulation or face potentially serious repercussions. These data protection regulations will affect every organisation, based inside and outside the EU, that processes or stores the personal data of EU citizens.
How will GDPR affect me?
If you have a business that deals with the personal data of individuals living in the EU, or use this data to carry out any aspect of your business, you need to make the necessary preparations for GDPR. There are a number of new guidelines that did not appear in the EU DPD that could catch you out and result in up to 4% fines on your global revenue.
A major change that some companies are struggling to realise is the idea that it is who the information pertains to, not where the information is stored that matters. Anteriormente, it was the location of data processing centres that regulated the interactions. Under new law it does not matter where the processing centres are based, it is the subject whose information it is that matters. Em outras palavras, you don’t have to be physically established in the EU for the application of GDPR to apply to you.
As GDPR is an extension of DPD there are similarities but also major differences between the regulations. Some of the developments need to be interrogated thoroughly in order to be implemented properly for your business.
Here are some new and important features:
- The Right to be Forgotten: An individual’s right to withdraw their consent of the use or storage of their personal data and to request it be deleted.
- Privacy by Design: Processes that involve interacting with personal data will now be designed to explicitly obtain consent from an individual for their personal data, as oppose to implied consent.
- Breach Notification: When an organisation becomes aware of a security breach of personal data, under this new regulation, they must notify the data authorities within 72 hours of the breach coming to their attention. Subjects will also be notified if the data collected poses a “high risk to their rights and freedom”. Failure to do so may result in a fine.
- Extraterritoriality: If a company collects data about EU subjects, regardless of that company’s physical presence in the EU, they are beholden to the adherence GDPR. This will have a huge effect on e-commerce and other cloud organisations.
Regardless of the UK’s member state status, General Data Protection Regulation is a vast and complex set of laws that must be invested in implementing if one is to continue doing business in the EU, or business with data collected from the EU. Brexit does not render the United Kingdom exempt from global data regulation. It is important to pay attention to the development of the UK’s own data protection laws upon exiting the EU, but for now GDPR should be of paramount importance to every business inside and outside the EU.
Nota do editor:
De tempos em tempos, SensorsTechForum apresenta artigos de hóspedes por segurança cibernética e os líderes infosec e entusiastas como este post. As opiniões expressas nestas mensagens de hóspedes, Contudo, são de inteira responsabilidade do autor contribuindo, e podem não refletir as de SensorsTechForum.