General Data Protection Regulation (GDPR): What You Need to Know
The new EU General Data Protection Regulation (GDPR) laws came into effect on May 25, 2018. Both the GDPR and UK Data Protection Bill made tremendous changes to how businesses collect, process, and use personal data.
The EU GDPR replaces the Data Protection Directive 95/46/EC and vows to protect and empower the data privacy of all EU citizens. The GDPR wanted to change the way organizations across the region approach data privacy. After the legislation came into effect, it offered greater control to the European citizens on the data that belonged to them. The GDPR forced organizations to develop a customer-first mindset. It gave data subjects rights to know where, when, and how the specific organization uses their data. Besides, it granted them rights for easier data access like name, home address, photograph, bank account details or medical information, etc.
GDPR does not apply to the personal data used for national security reasons or law enforcement. However, as a part of GDPR policy, a separate Data Protection Directive for the police and criminal justice department was set. It lays down very stringent rules on exchanging personal data at any level, regardless of whether it is National, European, or International.
The Key Aspects of GDPR
The objective of GDPR is to protect EU citizens from all sorts of data breaches that would compromise their privacy or identity. Below are the substantial changes and discussions on how the new GDPR Compliance environment impacts individuals and businesses once brought into effect.
- Impact on Businesses – Increased scope in terms of regions where the law is applicable. We are speaking about the extended jurisdiction of GDPR and how it applies to all the companies processing personal data of EU citizens, irrespective of the company location. Previously data regulations and privacy policies used to be in the context of the establishment that resulted in a lot of ambiguity regarding the scope of applying the new law. However, now it does not matter whether companies process the data within or outside the EU, and EU citizenship of the data subjects is also absolutely irrelevant.
- Conditions for Consent – The conditions set for customer consent in GDPR are more stringent than before. Companies collecting personal data must provide consent forms to the subject with clear and easily understandable terms. Consent forms need to be easily accessible and comprehensive, mentioning everything in clear, concise, and simple language. Besides, the consent form needs to address the purpose of collecting and processing data. To collect and process the personal data subject must be at least 16 years of age. If the data subject is below 16 years of age, then the processing of personal data will be considered lawful only if the parent or legal guardian of the child gives consent.
- Heavy Penalty for Non-Compliance – An organization that does not comply with the new legislation will incur a huge penalty that can be as high as 4% of annual global turnover or $20 Million (whichever is greater). So, one can imagine the amount of money any big organization (such as Google or Apple) with an incredible global turnover can end up paying a fine if they fail to comply with the new GDPR norms.
Data Subject Rights
- Privacy Breach Notification – Under the changes in the law, it will be mandatory to provide a data breach notification to the concerned data subject, clearly specifying what has happened. Within 72 hours after a privacy/data breach occurs, the individual has to be notified.
- Right to be Forgotten – This is also known as Data Erasure. It entitles the data subject to have the data controller completely delete all of the personal data in their possession and stop any further processing or distribution of data in any form.
- Data Subject Access Requests – Individuals can submit Data Access Requests to the organization or the concerned data controller. He has the right to know why the organization stores his data and what they intend to do with it, etc. Moreover, the controller also needs to provide a copy of the personal data, completely free of cost to the data subject, in an electronic format. The data controller is also obliged to respond within 30 days of receiving such a request.
- Privacy by Design – Organizations should adopt the GDPR compliant data privacy policy altogether from the initiation and inception of system design. The law states that – ‘The controller shall implement appropriate technical and organizational measures effectively. To meet the requirements of this Regulation and protect the rights of data subjects. Article 23 of the law also states that organizations should hold and process only the essential data required to complete their tasks, a concept called Data Minimization.
- Data Portability – GDPR also introduces data portability, wherein the data subjects can request back the personal data they had initially provided and transmit the same to another data controller.
- Data Protection Officers – Currently, data controllers must report all of their data processing activities to local DPAs, which can be very difficult. It will not be necessary anymore under GDPR. Instead, there will be a need for internal recordkeeping, and DPO appointments will be mandatory.
How We Can Help
The GDPR Consulting Services offered by EPC Group is well-known and trusted by our clients. Our data loss prevention (DLP) consulting strategies and processes help protect your data endpoints, networks, servers, and the cloud, including data transfer between locations. Our consulting services aim to create a compliance strategy centered around central policy information, eliminating the need to have several disparate technologies across multiple security layers.
Our advanced network security team and experienced privacy professionals use their data privacy expertise to draft strategies and solutions around centralized data policy management. It gives IT administrators granular control and visibility to monitor, evaluate, and take appropriate action on unusual network activities based on their specific needs.