In May 2018, the European Commission – the European Union’s (EU) executive body – will introduce the General Data Protection Regulation (GDPR).
The GDPR was adopted on April 27th 2016 and requires a two-year transition period.
By adopting the GDPR, the European Commission said it plans to strengthen and unify data protection for EU citizens. In addition, it focuses on the exporting of personal data outside of the EU. The Council of the European Union added that the GDPR intends to “improve business opportunities by facilitating the free flow of personal data in the digital single market”.
The GDPR is relevant to companies that provide any products or services to EU member states, as well as those that collect data on behalf of European customers.
Companies whose activity means they regularly and systematically collect personal data on a large scale, as well as firms that handle sensitive data, will be required under the provisions of the GDPR to hire a data protection officer. This will also be necessary for any public authorities or organisations.
The data protection officer will be expected to manage IT processes, data security (including dealing with cyber-attacks) and other aspects surrounding the holding and processing of personal and sensitive data.
A number of EU member states have criticised the idea of being forced to employ a data protection officer on the grounds of increased administrative burden. However, this aspect of the GDPR has not been removed and companies will still be required to employ data protection officers.
According to the GDPR’s rules, valid consent must be explicit for data collected and purposes data used. Consent for children under the age of 13 must be given by parents or guardians and data controllers must be able to prove that consent was obtained.
The new rules emphasise how important an appropriate Mobile Device Management (MDM) service is for companies.