European Union’s General Data Protection Regulation (GDPR) -what is it and what are the key changes?
Strict new rules for protecting customer data are just around the corner. Companies which collect data on people in the European Union countries will have to prepare to comply with the new regulations starting in May 25, 2018. The General Data Protection Regulation’s (GDPR) aim is to set a new standard for consumer rights regarding their data, but companies will be challenged as they put systems and processes in place to comply.
The penalties for non-compliance are going to be quite big and that is why it is essential for every organization to understand correctly the requirements and to be prepared before the new rules’ start date.
So, what exactly is GDPR, how is it going to affect the organizations and what are the key changes are the questions we are going to answer in this article.
GDPR was adopted in April 2016 by the European Parliament, replacing out of date data protection directive from 1995. It requires businesses to protect the personal data and privacy of EU citizens for transactions which occur within EU member countries. The GDPR also regulates the exportation of personal data outside the EU. Companies operating with consumers data in all 28 EU countries will need to meet the same standard which is relatively high and will require most of them to invest a lot of money to meet the standard’s requirements and to administer.
GDPR Key Changes
- The biggest change in data privacy comes from the increased territorial scope of the GDPR. Whether the processing of personal data by controllers and processors takes place in the EU or not, the regulations will apply to each of them.
- Under GDPR organizations in breach of GDPR can get penalties that can be a fine up to 4% of annual global turnover or €20 Million (whichever is greater).
- Consent must be clear, accessible and as easy to withdraw as it is to give it.
- Breach notification, done within 72 hours of first having become clear with the breach, will become mandatory in all member states.
- Another key change is the right to access for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a free of charge copy of the personal data in an electronic format.
- Data erasure or the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
- The right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly use and machine-readable format’ and have the right to transmit that data to another controller or in other words ‘data portability’ is another key change under GDPR.
- Privacy by design which is becoming part of a legal requirement with the GDPR calls for the controller to implement appropriate technical and organizational measures in an effective way in order to meet the requirements of this regulation and protect the rights of data subjects.
- Data Protection Officers (DPO) – Controllers will no longer be required to notify their data processing activities with local DPAs. Instead, there will be internal record keeping requirements and DPO appointment will be mandatory only for those controllers and processors whose core activities consist of processing operations.