If your company collects personal data from EU citizens, you will need to make significant adjustments to comply with the new regulations. But before you can make any adjustment, you need to understand what GDPR entails. This article will discuss the new laws in detail. It will explain the specific regulations, their implications, deadlines, and the fines for noncompliance.
GDPR stands for General Data Protection Regulations. The EU parliament passed the regulations on April 14, 2016. They are a set of rules that harmonize the data privacy laws across the European Union. According to the EU, the GDPR aims to promote data privacy for all EU citizens and change the way firms approach data privacy in Europe.
The GDPR was enacted to replace the Data Protection Directive of 1995. Though the Data Protection Directive controlled the handling of personal data in the EU, it had become redundant. The digital landscape has changed significantly since 1995. For example, personal data can no longer be regarded as a person’s identification and bank details only. Today, things such as IP addresses and cookies can also constitute personal data.
The GDPR is more stringent than the Data Protection Directive. Toughening the rules was motivated by the public outcry over data privacy in Europe. In a recent study, 80% of European respondents said that security of their financial details was a top concern. Furthermore, in the same survey, 62% percent of the respondents said that they would blame their banks, not hackers, in the event of a data breach. The survey shows that before enactment of the GDPR, the public was calling for stricter measures to guarantee their privacy.
Under the new rules, personal information includes, but is not limited to:
- identification details such as names and passport numbers
- political views
- sexual orientation
- biometric information
- genetic and ethnic data
- health information
- Internet data such as cookies and IP addresses
GDPR defines various rights of data subjects which all companies should grant. Some of these rights include:
In cases where a data breach is likely to compromise the data subject’s rights and freedoms, the data controller should give a notification. The breach notification should be done within 72 hours of realizing the breach. The data processors are required to alert the data controllers and customers without delay.
Right to data erasureUnder GDPR, data subjects can demand that data controllers erase their private data. They can also request the data controllers to stop further processing and dissemination of their the data. Reasons for demand of erasure include withdrawal of consent and expiry of the original processing purpose.
Right to accessData subjects have a right to know the status of their personal data. Such information include why and where the data is being processed. Data controllers are also required to provide the data subjects with an electronic copy of their personal data on request. That service should be offered free of charge.
Data portabilityData subjects have the right to obtain their personal data, and transfer it to another data processor. Furthermore, the data controller should provide the personal information in a “commonly use and machine-readable format’”
For now, compliance with the GDPR should be a top priority for every company. The regulations will bring fundamental changes in data handling processes. The new rules will also have considerable financial implications. It is crucial to set aside a big budget for data compliance measures such as recruitment of new personnel.
Furthermore, GDPR will require a review of third-party contracts. It is important to ensure that you are working with GDPR-compliant third data services providers.