The General Data Protection Regulation, also known as GDPR, is a law that was created by the European Union in order to strengthen and unify data privacy for all individuals within the EU. This law has far-reaching implications on businesses outside of the EU that have customers within it. In this blog post, we will discuss what it is, why it exists and how you can be compliant with its requirements.
GDPR is the General Data Protection Regulation that took effect on May 25th, 2018. This law was created in order to strengthen and unify data protection for all individuals within the European Union (EU). It also aims to give back control over personal information to EU citizens. The basic rights guaranteed by GDPR are as follows:
- The right to be informed;
- The right of access;
- The right to rectification;
- The right to erasure; (also known as the ‘right to be forgotten’)
- The right to restrict processing;
- The right to data portability; and,
- Rights in relation to automated decision making and profiling.
Who does this apply to?
General Data Protection Regulation applies to organizations that are determined as “controllers” or “processors” of personal information of individuals located in the European Union. It also applies to organizations conducting business in the European Union, regardless of where their data is processed or stored. This means that if an EU resident provides personal information to a company in the United States, even unknowingly, then it applies in privac.
What does this mean for organizations?
Organizations must become compliant with General Data Protection Regulation if they control or process the personal information of individuals located in the EU. As mentioned before, this means that if an individual in the EU provides your company with their personal information then you are required to comply with GDPR. The consequences for not becoming compliant may include fines up to €20 Million or 4% of global turnover (revenues).
What are the requirements to be compliant?
General Data Protection Regulation requires that you have a lawful basis for collecting, storing and processing personal information. Furthermore, organizations must collect personal information fairly and lawfully. This means that they should state why they want this information (i.e. the purpose of collection) and only process what is needed for the stated purpose. Furthermore, organizations must consider if they really need to collect all of that information. Would a smaller amount do? If not, then why are you collecting it?
Organizations should also communicate how and where personal data will be used and by whom. Additionally, individuals must give consent to have their personal information collected, stored and processed. Consent must be freely given, specific and informed; individuals should know exactly what their information will be used for and who it will be shared with. This also means that you cannot make consent a condition of the product or service provided by your organization.
Once personal data is collected, organizations are required to protect them from loss,privac and unauthorized access. This means you must put the appropriate technical and organizational measures in place to ensure that personal information is kept safe and secure at all times. Furthermore, organizations should not keep information for longer than necessary.
Organizations are also required to notify individuals as well as a supervisory authority within 72 hours of becoming aware of a data breach. Furthermore, organizations must notify those individuals whose personal data is affected by the breach as soon as possible.
In order to process personal information appropriately, organizations should adopt a risk-based approach. This means that you must assess the risks posed by your processing activities and put in place appropriate safeguards to mitigate those risks. Moreover, your processing of personal information must be done in compliance with data protection principles that are outlined in General Data Protection Regulation. These include lawfulness, fairness, transparency, accuracy and accountability through legal means.
However, it is also important to keep in mind the rights of individuals whose personal data you process. This means that organizations should ensure they respond to requests for exercise of those rights within one month. This is also one of the reasons that organizations should have a designated Data Protection Officer whose role it will be to ensure compliance with GDPR.
Conclusion
The GDPR is a law that was created to protect the personal data of individuals who reside in the European Union. It applies whether or not you have any physical presence in Europe and even if your company does business with people from other parts of the world. In this article, we’ve provided some insights into what it means for organizations to comply with GDPR as well as steps they can take to do so.