The growth of technology and electronic communication means that every day, almost every hour, we share our personal data with a huge number of organisations including shops, hospitals, banks and social media sites. Our data is collected, used and stored by organizations. There is significant public concern over privacy and it grows with every new high-profile data breach. People are increasingly realizing that their personal data is not just valuable to them, but hugely valuable to others.
In order to give users more control over their data and better transparency on how the data is being used, European Union has come up with new regulations known as GDPR for protecting personal data of users.
Lets try to understand the key aspects related to GDPR without much legal jargons.
What it GDPR ?
What kind of data does the GDPR protect?
The regulation applies to a broad array of personal data including name, ID numbers and location, as well as IP addresses, cookies and other digital fingerprints.
Who enforces the GDPR?
The European Union parliament passed the law in April 2016, and each member state will have its own supervising authority.
Which companies does the GDPR affect?
This regulation will have global implications. Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU.
Failure to compliance
Failing to comply will result in a hefty fine. The highest tier includes a fine of the €20 million or 4% of annual turnover of the previous year, whichever is higher.
When does the GDPR take effect?
Requirements
Below are the major requirements to be compliant with GDPR for organisations that collect and process user personal data.
-
Consent
Explicit or active consent from user is necessary for type and purpose of personal data collected. Soft opt-in like already checked terms and conditions would no longer be valid. User should actively opt-in by either accepting or email confirmation. Consent should be stored and organization should be able to proof the consent by user.
-
Breach notification
In case of a data breach, the affected users and local data protection authorities should be notified within 72 hours of detection of the breach.
-
Right to Access
User should have access to view, update or modify his data that is stored. A free electronic copy of personal data should be provided to the subjects if required.
-
Erasure/Right to be forgotten
There should be an option for user to opt out as well as provision to delete all user data. However, the data retention requirements if any will take precedence over erasure.
-
Data Portability
Allow users to obtain and reuse their personal data for their own purpose across different IT environments.
-
Security and Protection
Data should be securely stored and proper measures like access control, data encryption etc, should be taken to protect the user data. -
Data Protection Officers
Organizations that processes or stores large amounts of personal data, need to designate a DPO to oversee data security strategy and GDPR compliance.
With so much privacy concerns and breaches in recent times, a strict policy like GDPR is very important and I feel that such standards should be adapted at a global level.