GDPR – A New Standard for Data Privacy

By | April 28, 2018

The growth of technology and electronic communication means that every day, almost every hour, we share our personal data with a huge number of organisations including shops, hospitals, banks and social media sites. Our data is collected, used and stored by organizations. There is significant public concern over privacy and it grows with every new high-profile data breach. People are increasingly realizing that their personal data is not just valuable to them, but hugely valuable to others.

In order to give users more control over their data and better transparency on how the data is being used, European Union has come up with new regulations known as GDPR for protecting personal data of users.

Lets try to understand the key aspects related to GDPR without much legal jargons.

What it GDPR ?

GDPR stands for General Data Protection Regulation. GDPR is a new set of rules designed to give EU citizens more control over their personal data. It aims to simplify the regulatory environment for business so both citizens and businesses in the European Union can fully benefit from the digital economy. It specifies how customer data should be used and protected. The provisions are consistent across all 28 EU member states, which means that companies have just one standard to meet within the EU.

What kind of data does the GDPR protect?

The regulation applies to a broad array of personal data including name, ID numbers and location, as well as IP addresses, cookies and other digital fingerprints.

Who enforces the GDPR?

The European Union parliament passed the law in April 2016, and each member state will have its own supervising authority.

Which companies does the GDPR affect?

This regulation will have global implications. Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU. 

Failure to compliance

Failing to comply will result in a hefty fine. The highest tier includes a fine of the €20 million or 4% of annual turnover of the previous year, whichever is higher.

When does the GDPR take effect?

GDPR was adopted by European Parliament in April 2016 and built on previous EU data protection directive (1995). There was a two year grace period in which companies must comply which ends in May 2018.  Companies must be able to show compliance by May 25, 2018.

Requirements

Below are the major requirements to be compliant with GDPR for organisations that collect and process user personal data.

  1. Consent

    Explicit or active consent from user is necessary for type and purpose of personal data collected. Soft opt-in like already checked terms and conditions would no longer be valid. User should actively opt-in by either accepting or email confirmation. Consent should be stored and organization should be able to proof the consent by user.

  2. Breach notification

    In case of a data breach, the affected users and local data protection authorities should be notified within 72 hours of detection of the breach.

  3. Right to Access

    User should have access to view, update or modify his data that is stored. A free electronic copy of personal data should be provided to the subjects if required.

  4. Erasure/Right to be forgotten

    There should be an option for user to opt out as well as provision to delete all user data. However, the data retention requirements if any will take precedence over erasure.

  5. Data Portability

    Allow users to obtain and reuse their personal data for their own purpose across different IT environments.

  6. Security and Protection

    Data should be securely stored and proper measures like access control, data encryption etc, should be taken to protect the user data.
  7. Data Protection Officers

    Organizations that processes or stores large amounts of personal data, need to designate a DPO to oversee data security strategy and GDPR compliance.

With so much privacy concerns and breaches in recent times, a strict policy like GDPR is very important and I feel that such standards should be adapted at a global level.

Disclaimer : I am not a legal expert and the above article is my effort to put the information related to GDPR in simple non legal terms.
Please feel free to comment and share our opinion below.

Leave a Reply

Your email address will not be published. Required fields are marked *