GDPR is here, so what has actually changed?

28 May, 2018

On Friday 25-May-2018, the year-long deadline to comply with the new European General Data Protection Regulation (GDPR) came into effect. At the time, the Blue Swan Daily explored the implications for the global travel sector and whether or not it was prepared for the change (see report: 'D-day' arrives for GDPR, but does the global travel sector understand it and is it fully prepared for its implications?), however experts at BCD Travel have dived further into GDPR and emerged with a list of nine big changes which have come into effect since Friday:

  1. More consistency: GDPR will become law without legislation in each EU member state. This means a greater degree of harmonisation on data protection requirements.
  2. Broader scope: "Personal data" will be defined more widely and include online identifiers such as internet protocol, or IP, addresses.
  3. Effect beyond region: The law applies to entities that are established in the EU; offer goods and services in the EU; or monitor the behaviour of individuals in the EU. So, even a company without a presence in the European Union may be subject to the requirements.
  4. Bigger fines: Failure to comply with GDPR requirements can lead to fines of up to EUR20 million (about USD23.6 million) or up to 4% of the annual global turnover of the previous financial year.
  5. Clearer consent: GDPR sets a high consent standard for processing (collecting, using and storing) personal data. The consent must be unambiguous and involve a clear, affirmative action. Silence, pre-ticked boxes or inactivity cannot be used to imply consent. People also must be able to revoke consent easily.
  6. Breach notification mandates: GDPR requires a data breach to be reported to the EU data protection authority "without undue delay" and, where feasible, within 72 hours of awareness, unless the breach is not likely to put the rights and freedoms of affected individuals at risk. In certain circumstances, affected individuals must be notified without undue delay. In addition, GDPR requires a data processor to notify the companies it serves without undue delay if there's a breach.
  7. Expansion of individuals' rights: The new law bolsters existing rights of individuals and introduces new ones, such as the right to be forgotten and the right to data portability (transfer of data to another party).
  8. Privacy by design: Data privacy must be considered from the outset when new technologies are designed. Companies using people's data must conduct privacy-impact assessments on any potentially "high-risk" processing-for example, when using new technologies.
  9. Data protection officer: GDPR requires appointment of a data protection officer if an entity's "core activities" involve regular, large-scale processing or monitoring of individuals' data-in particular data related to criminal convictions or offenses.

Read BCD Travel's full GDPR report for more details.