The GDPR: 5 Questions Answered
In a rapidly evolving digital world, privacy issues are of concern to both businesses and individuals. The European Union is addressing these concerns with a new rule called the General Data Protection Regulation (GDPR), harmonizing privacy laws from throughout the EU and mandating a greater level of protection for the privacy of citizens’ data.
What does the GDPR say?
The GDPR is a complex regulation. Simplified, it mandates the following:
- Consent: Consent to the collection of data must be given on a straightforward, easily accessible form. Withdrawing consent must be as easy as giving it.
- Breach Notification: Notifications of data breaches is mandatory.
- Right to Access: User has the right to learn whether and for what purpose personal data is being processed by an organization, and to receive a copy of that data free of charge.
- Right to be Forgotten: Subjects of data collection have the right to have all their personal data erased if consent to collect it is withdrawn, or if the data is no longer relevant.
- Data Portability: Subject has the right to receive personal data in a commonly readable format for the purposes of transferring it.
- Privacy by Design: Systems must be designed with data protection as an essential element from the onset, rather than an addition later.
- Data Protection Officers: While it is no longer required to submit data processing activities to local Data Protection Officers (DPAs), there are now internal recordkeeping requirements to ensure systematic monitoring of sensitive data.
Why is the GDPR important?
Many GDPR provisions already exist in legislation in various countries. The GDPR allows these rules to be standardized across the EU, and to apply to non-EU data processors interacting with EU citizens’ data. With its focus on transparency, the GDPR mandates a previously unknown level of individual visibility into and control of personal data, with the aim of protecting the data of EU citizens and safeguarding their rights to privacy.
Who does the GDPR impact?
Called “increased territorial scope,” one of the major provisions of the GDPR is that it applies not only to EU organizations but to any processor of EU citizens’ data for the exchange of goods and services or monitoring behavior. This is true regardless of the physical location of the organization and is not predicated on the exchange of money.
What are the penalties for non-compliance?
There is a tiered fine approach to GDPR non-compliance. Penalties may be up to 4% of annual global turnover or €20 Million. Penalties apply to both data processors and controllers—the “cloud” is not exempt.
When does the GDPR take effect?
The GDPR regulations take effect on May 25, 2018.
For more details about the GDPR, see https://www.eugdpr.org/.