EU data protection regulation passes in Brussels giving citizens right to be forgotten online

For free real time breaking news alerts sent straight to your inbox sign up to our breaking news emails

Sign up to our free breaking news emails

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy policy

The EU adopted new legislation on data protection on Thursday that could give people more control over their personal information including the right to be forgotten online.

The European Union’s General Data Protection Regulation (GDPR) passed on April 14 in Strasbourg after more than four years of negotiations.

It aims to give citizens back control over their data. It also means companies could face huge fines for breaching the new law.

The regulation is to replace the EU data protection directive which dates from 1995, when the internet was still in its infancy.

It intends to protect consumers and improve law for businesses in a digitised word of smart phones, social media, internet banking and global transfers.

Under the new law, companies will now have to take the issue of data protection much more seriously while the rights of individuals will be improved in the new digital age.

Data protection errors will be far more expensive than before.

Companies that do not comply with the strict new requirement will face fines of up to 4 per cent of their global revenue for the previous year, or €20 million (£15.8m) depending on which is greater.

In the UK, the maximum current penalty stands at about £500,000, according to Steven Lorber, a consultant partner at Lewis Silkin law firm, who specialises in data protection.

Businesses will have to appoint a special data protection officer if they are handling significant amount of sensitive data or monitoring the behaviour of many consumers. Under the new legislation firms must keep track of personal data in auditable ways and provide breach notification within 72 hours.

“The first mistake that organisations made is to assume this is just an IT issue, it’s not. It is a very significant business risk and needs to be dealt with at senior leadership level,“ Andrew Rogoyski, vice president of cyber security services at CGI, told the Independent.

Mr Rogoyski said that one of the biggest risks facing organisations is reputational damage. "In world where information is the most valuable currency, maintaining customer trust will be key to ensuring business success. Businesses which can’t get data protection right will quickly undermine customers’ trust and lose to the competition," he said.

"Now the starting gun has fired, companies have two years to get their handling of personal data into order or they face the possibility of punitive fines and public humiliation. We’re already receiving requests from clients to undertake work to assess the impact of the [General Data Protection Regulation] on them,” he added.

The new rules will essentially give individuals greater control over their personal data.

Among other things, you will have the right to:

“Be forgotten”: This means that when an individual will no longer want his data to be processed, provided there are no legitimate reasons for retaining it, he can ask his company to erase it. This extends to internet companies storing our data, so someone could now technically ask Facebook to erase its profile along with all the data that it has gathered while you were using it.

Mr Rogoyski said that one of the biggest changes proposed in the new regulation is the the increased transparency of how personal data is being used by organisations.

The regulation puts onus on businesses and public bodies to notify users about how their personal information is being collected, stored and shared.

"This will have a profound effect on data processors operating in Europe, forcing them to take toucher measures for data protection and controls, including stricter privacy assessments and data management rule," Rogoyski said.

“Be notified”: Companies must notify individuals earlier and in a much more comprehensive manner if they process their data.

“Switch one’s personal data to another service provider”: Under the new rules, any person will have the right to “data portability” to make it easier for individuals to switch their personal data between service provider.

For instance, it should allow a user to switch to another email provider without losing contacts or previous emails. It will not only give individuals more control over their data, but also stimulate competition in the digital single market, according to the EU’s statement.

Any individual who uses the web, has a social network account or email address.

Managers, heads of IT and any other staff responsible for data protection within a company should pay attention.

More importantly, the rule applies to all companies conducting business in Europe regardless of where the companies are based. This means a single set of rule will replace the current patchwork of national laws, making clearer both for businesses and consumers.

"The approach of the GDPR provides a risk based application of a "one size fits all" set of rules across the EU and recognises the different levels of privacy risk associated with SMEs and large global organisations. Privacy will be catapulted up the list of global organisations’ enterprise risks, requiring them to re-evaluate take action," said Mark Thompson, privacy lead in KPMG's cyber security practice.

“For non-EU businesses that trade in the EU, this agreement will require some to re-think some of the activities they carry out in the EU. This makes it much harder to operate certain “global” services and will require them to truly put an EU lens on the business activities which are undertaken in the EU market," Thompson added.

The law passed on Thursday 14 April, marking the end of the legislative procedure.

The regulation will enter into force 20 days after its publication in the EU Official Journal. Its provisions will be directly applicable in all member states two years.

“It’s clear that by the time the regulation comes into play in 2018, for a number of organisations, there will be a lot of work to do,” Thompson said.