On 27 April 2016, the European Union passed Regulation (EU) 2016/679 – also known as the General Data Protection Regulation (GDPR).
And on 27 April 2017, Germany adopted it – well ahead of the 25 May 2018 deadline – with other European countries set to follow. By that date, GDPR will be fully enforceable – and will affect all products and services that collect the user data of EU citizens and residents.
Put simply, GDPR will require:
At nearly 55,000 words in length, the full legislation document is extensive. So here are the key fundamentals that UK electrical appliance manufacturers and retailers should be aware of:
Since the dawn of the Internet of Things, a whole host of devices have collected and transmitted user data. Not just the obvious appliances like smart TVs but also wireless speakers, smart fridges, security cameras and even toasters.
All of these devices retain data – and the new laws must be considered in any product or service “by design.” Essentially, it means appliance manufacturers may now incur additional development costs in order to ensure the finished product adheres to (EU) 2016/679.
GDPR specifies that the type and volume of data collected on users should be restricted to only what is necessary. Collecting any data beyond this will require the vendor or supplier to gain permission from users via opt-in.
Any data sent wirelessly – for example, via wi-fi between devices – will also need to be encrypted.
The new GDPR rules will ensure technology users are entitled to, in essence, carry their data around with them. So when an EU resident moves from one service provider to another, any data collected on them must be made available. In order to facilitate the effective transfer of that data, the regulation requires it to be saved in an accessible and widely-compatible format – like a CSV file.
(EU) 2016/679 applies not only to companies trading in Europe, but also any company collecting the data of EU citizens and residents. According to the European Union website: “It (GDPR) will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not.”
The GDPR rules also require companies to immediately disclose any data breach to European regulators. Again, this applies no matter where the company is located as long as the data collected is on European citizens or residents. Penalties begin at €20 million, and could cost the offending company 4% of its global revenue if the maximum fine is applied.
The UK’s upcoming exit from the European Union will also have no bearing as (EU) 2016/679 will be ported into UK legislation.
Unlike with European directives, there is no need for individual countries to pass laws to make GDPR enforceable. So on 25 May 2018, Regulation (EU) 2016/679 will be in full effect.
There will be no grace period, meaning fines and penalties can be incurred and issued straight away.
In order to comply with regulation (EU) 2016/679, any returned item that stores user data will require wiping as part of the return-to-sale process.
Servicecare holds Blancco certification – the de facto global standard in certified data erasure. And thanks to our recently expanded data wiping facility, Servicecare can ensure all data is removed as part of the reconditioning process.