As of 25th May this year, a new framework for the European consumer data protection came into force, aimed at driving radical changes in everything from technology to advertising and medicine to banking. This regulation sets a new standard for data collection, storage, and usage among all businesses (no matter their size, industry or country of origin) handling consumer information of EU citizens. The GDPR main objectives are to give citizens back personal control of their data and to simplify regulation for businesses, that is, change the way how companies handle consumer privacy, and provide people new rights to access and control their own data on the internet. However, now that the regulations carry the force of law, businesses could face steep fines for failure to comply, especially because the GDPR leaves much to interpretation. For example, says that companies must provide a “reasonable” level of protection for personal data, but doesn’t outline what this definition constitutes, which gives the GDPR governing body a lot of leeway when it comes to assessing fines for data breaches and non-compliance. Sadly, many companies thought this change was just about sending a couple of e-mails saying “the privacy policy has changed” and “just click here so we can stay in touch“, which hindered their response plans to incidents. For this reason, we’ve compiled all the GDPR information you need to know, along with some tips to meet its requirements.
What’s GDPR?
GDPR is a series of laws spelling out the digital rights for citizens of the EU. The European Parliament first proposed the GDPR in 2012 as a way to create consistent data privacy laws in the EU member states, replacing an outdated directive from 1995, and an even older set of principles called the Fair Information Practices. GDPR represents one of the most robust data privacy laws in the world and its provisions are consistent across all 28 EU member states. This means companies have just one standard to meet, which is quite high and will require most of them to make a large investment to comply and manage.The final text of GDPR includes the following requirements:
- Anyone involved in processing EU citizens data, can be held liable for a breach.
- When a consumer no longer wants their data to be processed by a company, the data must be deleted (provided there are no legitimate estates for retaining it).
- Companies that process sensitive data on a large scale must appoint a data protection officer.
- Companies should notify the relevant national supervisory authority of serious data breaches as soon as possible.
- Parental consent is required for children less than 16 years to use social media.
- There will be a single supervisory authority for data protection claims, with the intention of streamlining compliance for businesses.
- People have full and absolute right to data portability, to allow them to easily transfer their personal information between services.
When this regulation was implemented?
How does GDPR affect companies?
At first glance, it may seem that the GDPR only applies to global corporations that conduct several businesses overseas. This is just a false perception that could harm many small businesses. No matter the size of your organization if you collect or process personal data on citizens in the European Union (from email addresses to medical records) you’re legally required to comply with GDPR regulations, even if you don’t have a business presence within the EU. If you don’t want to be negatively affected by the change, you need to understand your responsibilities in complying with the regulations. The specific criteria for companies required to obey are:- Physical presence in an EU country
- No physical presence in the EU, but it processes and/or stores personal data of European citizens.
- It has more than 250 employees
- Less than 250 employees, but its data-processing impact the rights of data subjects, or include certain types of sensitive personal consumer’s information.
- Companies need to put procedures and systems in place to ensure that each of the GDPR clauses are correctly fulfilled, validating how any personal data is collected, stored, processed and shared.