6. Harmonised user request rights
Under the directive, users already have the right to see the data collected about them. However, each country currently defines how data controllers should respond (the UK allows 40 days) and in the new regulation the deadline will be harmonised, probably to 20 days.
7. New erasure rights
In the new regulation, users can also demand that their data be erased. This may sound straightforward but it’s not always that simple. If a person said they wanted to be removed from one of your databases, how would you go about doing so? Would you have to remove data from multiple systems? Are syncing protocols in place that would make doing so difficult? Do you have processes now for this and how would you remove contact information from individual databases or spreadsheets? These are questions that need answering now, not after the regulation comes into play.
8. It is your responsibility to inform users of their rights
Under the new regulations, controllers must inform and remind users of their rights, as well as documenting the fact that they have reminded them of their rights. In addition, users should not have to opt-out of their data being used, they must opt-in to your systems. This is more stringent than the current directive and companies that fall foul of these measures will face larger fines.
9. Tougher sanctions and streamlined incident reporting
This is the big one. In case there was any doubt about how serious the regulators are taking the data breach issue, sanctions have been made much, much tougher. Fines may be as high as €100m or 5 percent of global revenue (whichever is higher), in stark contrast to what we currently have in the UK, which is a maximum fine of £500,000.
Currently, different countries have different rules on data loss reporting for both the regulator and users. The regulation is intended to streamline the process, most likely so that regulators must be informed in 72 hours – unless, as per the ‘reasonable expectations’ requirement (explained shortly), data was encrypted or tokenised.
Arguably, something is missing from this new rule, namely how much time organisations have to inform users. TalkTalk, for instance, recently suffered a data breach and informed regulators within the required 72hrs (the UK rule). However, users were not informed until several months later, in which time hackers had used stolen contact information to phone/email TalkTalk customers, pretending to be from the company in an attempt to steal money. TalkTalk should have moved faster to inform its customers of the data breach.