What’s GDPR?GDPR is a series of laws spelling out the digital rights for citizens of the EU. The European Parliament first proposed the GDPR in 2012 as a way to create consistent data privacy laws in the EU member states, replacing an outdated directive from 1995, and an even older set of principles called the Fair Information Practices. GDPR represents one of the most robust data privacy laws in the world and its provisions are consistent across all 28 EU member states. This means companies have just one standard to meet, which is quite high and will require most of them to make a large investment to comply and manage.
The final text of GDPR includes the following requirements:
- Anyone involved in processing EU citizens data, can be held liable for a breach.
- When a consumer no longer wants their data to be processed by a company, the data must be deleted (provided there are no legitimate estates for retaining it).
- Companies that process sensitive data on a large scale must appoint a data protection officer.
- Companies should notify the relevant national supervisory authority of serious data breaches as soon as possible.
- Parental consent is required for children less than 16 years to use social media.
- There will be a single supervisory authority for data protection claims, with the intention of streamlining compliance for businesses.
- People have full and absolute right to data portability, to allow them to easily transfer their personal information between services.
When this regulation was implemented?The GDPR was proposed by first time in 2012, adopted in April 2016 and finally came into force on 25th May of this current year. If you’re new to the GDPR game, this was the first day when the new regulation could officially be enforced in the EU against any organization collecting personal data and failing to comply with the new rules. In the days since GDPR Day and the start of its enforcement, many companies (including the big ones) have failed in some way to comply with the new regulations, especially those that have attempted to comply in a way that avoids the consumer protections. If your organization has taken the necessary steps to meet in good faith and cares about the personal data of its customers, employees and/or anyone else whose data it collects, it’d probably be safe. However, if you only make an effort to just apparently comply with GDPR by subverting privacy regulation, you should be concerned.
How does GDPR affect companies?At first glance, it may seem that the GDPR only applies to global corporations that conduct several businesses overseas. This is just a false perception that could harm many small businesses. No matter the size of your organization if you collect or process personal data on citizens in the European Union (from email addresses to medical records) you’re legally required to comply with GDPR regulations, even if you don’t have a business presence within the EU. If you don’t want to be negatively affected by the change, you need to understand your responsibilities in complying with the regulations. The specific criteria for companies required to obey are:
- Physical presence in an EU country
- No physical presence in the EU, but it processes and/or stores personal data of European citizens.
- It has more than 250 employees
- Less than 250 employees, but its data-processing impact the rights of data subjects, or include certain types of sensitive personal consumer’s information.
- Companies need to put procedures and systems in place to ensure that each of the GDPR clauses are correctly fulfilled, validating how any personal data is collected, stored, processed and shared.