EU General Data Protection Regulations (GDPR) made in 2016, must be implemented by May 25, 2018, and its impact on optical businesses has only just hit the industry.
At a round table discussion at our last general meeting the larger companies shared what they have done to ensure compliance, but there were still more questions than answers, and the discussion will continue at our next meeting. In the meantime the Optical Confederation is finalising GDPR guidance for the optical sector.
The current directive was issued by the EU in 1995, when the world was very different to the data-driven environment of today. While a directive can be implemented differently in each country, a regulation is uniform across the whole of the EU.
The reach of GDPR is much wider than the directive, applying to any company doing business in the EU, irrespective of that company’s geographical location. There is a strong focus on the rights of individuals to prevent information being held too long or without good reason or for purposes without permission. Organisations will have to disclose the intended use and storage period and request new permission every time the data is used.
For many FMO members a particular issue is the need for any company employing more than 250 people to appoint a data protection officer – to manage the process of building security and privacy into operations. We are investigating whether there are enough people available and determining the skills needed for this very different approach to the storage, analysis and use of personal data held by an organisation, where the penalties for breach are so severe – up to the greater of 4% of annual global turnover or €20M.