Having a Privacy Policy on your website is an absolute must. This is not something website owners have made up or something that legal professionals have decided to charge for.
Until now, in the European Union, the requirement for having a Privacy Policy had stemmed from the EU Data Protection Directive (95/46/EC). The rule was, however, designed in 1995 – more than 21 years ago. At that time, the Internet was a fairly new innovation for a lot of people. Websites were just emerging. Social media platforms and mobile apps did not even exist. Until now, it can therefore be said that rules were relatively vague.
This year, a new set of rules was adopted by the EU. The Regulation (EU) 2016/679 (the General Data Protection Regulation, or “GDPR”) will replace the abovementioned Directive. The regulation now takes in account all specifics of the new digitalized world, which will carry data protection law forward. This, however, means changes to compliance obligations and more strict rules for Website, Mobile App and Software owners.
Who do the new rules apply to?
The new Regulation, imposing Privacy (Policy) obligations, will apply to and impact almost every organization or company based in the EU. Apart from that, companies that either offer goods or services to EU residents or monitor the behaviour of EU residents, thus doing business within the EU will be subject to the rules of the GDPR.
What are the penalties?
Under the new Regulation, failure to comply with its rules can lead to ground-breaking legal fines. The greater of €20 million, or 4% of the company’s worldwide turnover can be imposed on those who do not have comprehensive rules and do not abide to them. Those legal fines will now be fully able to destroy a large business, let alone small or medium sized enterprises (SMEs).
Increased amount of obligations?
Indeed. Business owners will have the bar for compliance raised considerably. New requirements will need to be fulfilled in Privacy Policies; stricter limits on the collection and use of personal data will be imposed; individuals will have greater right of action in order to enforce their rights against Website, Mobile App and Software owners.
Satisfying these new requirements will be a serious test for many of the latter.
You need to prepare!
The Regulation has already been adopted in May 2016. This means that it is about time for you to prepare to be compliant with the new rules.Novelties in the GDPR include, among others, territorial application, consent, rights of data subjects, 72-hours breach notice, increased compliance obligations for controllers, appointing a DPO. These new requirements shall all be reflected in the crucial update of each Privacy Policy of a Website, Mobile App or Software.
Early planning is essential.
Enforcement of the new rules start in 2018. And although that seems like ages from now, it should be noted that all business owners need to bring their operations into compliance with the Regulation BEFORE 2018. As the GDRP radically changes most of the aspects concerning the collection and processing of personal data, the scale of this task and especially the seemingly excessive amount of legal fines (which is actually not!) should not be underestimated.
This includes a complete review, revision and re-drafting of existing and future Privacy Policies, as well as Terms and Conditions, Cookie Policies, etc.
Lege Nova’s team has now attended a number of seminars, trainings and conferences in order to expand the knowledge around the upcoming GDPR developments to the fullest extent possible.
Our practice is ideally positioned to guide Website, Mobile App and Software owners through the process of understanding and complying with the Regulation rules relating to online business. Combined with our lasting, deep experience in the sector of Data Protection, Lege Nova is now fully prepared to advise companies on their new data protection compliance obligations under the new General Data Protection Regulation.