GDPR: What is it and what does it mean?
You may have seen on the news that businesses will soon have to comply with new GDPR regulations. GDPR stands for General Data Protection Regulation and is enforced by the European Parliament, European Commission and Council of the European Union, and is designed to strengthen data protection for EU citizens. Its primary aim is to empower citizens to control how their data is stored and how it is used. The new regulation will replace the data protection directive of 1995 and is directly applicable and binding to all EU countries.
When the old regulation was enacted, it did not take into consideration the explosion of the World Wide Web. Since the web’s inception, data exchange has grown and become increasingly complex. For instance, internet giants such as Facebook and Google now swap access to their services for user data. And so, the old regulation was no longer fit for purpose.
So now, while the new regulations will come into force in 2018 and cover the entire data process (from organization collecting, organization protecting to person providing), it now accommodates for organizations outside of the EU, who are collecting information from EU residents and the way in which this data is handled.
GDPR applies to personal data only. However, the regulation broadens the scope of what is classified as data. For instance, while HR records, customer lists, contact details, addresses and medical records will all have been protected by the previous regulation – online identifiers are now included too. For instance, an individual’s IP address is considered to be personal data. Similarly, genetic or biometric data will be covered too.
Importantly, citizens must consent for their data to be processed under these new regulations, and data must comply with a contract or legal obligation and/or be a matter of public or personal interest. For organizations to gain consent, they need affirmative action from the subject. This means that passive acceptance such as opt-out models or pre-ticked boxes no longer comply. If organizations processing this data do not adhere to one of these, then it is deemed illegal.
Organizations who do not follow the basic principles for processing data, such as consent or transferring data to another country, can face hefty fines. The data protection authority could issue a penalty of up to €20 million or 4% of global annual turnover. Similarly, those who suffer data breaches in a cyber-attack, can face a penalty of up to 2% of their annual worldwide revenue or €10 million, whichever is higher.
For further information on GDPR, why not check out our website here.
Do you have a question you’d like answered? Comment below or tweet us @JustAskGemalto