You most probably have heard the phrase “Data Protection and Privacy” recently, as there has been a lot of talk surrounding the matter, especially in the last couple of months. The old GDPR rule that took place in as early as 1995 came to an end. A new rule is in town.
A lot of companies are concerned from the heavy fine they can suffer if they haven’t already completed what had to be done before the enforcement of the rule, that took place in 25th of May of the same year we are currently in. However, they had over 2 years available to do so, as the law was approved by the European Parliament in April 2016.
The same is expected to hit the smaller businesses in particular, as a study made recently resulted in over 80% of the category not being aware what that means to them, therefore are not taking any steps on preventing it. Fine this, that can go up to $20 million or 4% of annual global turnover, whichever tops the other.
Now, talk about fines.
Today I decided to give all the answers to those who are still unaware of the new European Union Privacy Rule. What is the General Data Protection Regulation GDPR, how does it work and what are the new key changes? Stay with me!
Recommended: How to Prevent Identiity Theft Online
General Data Protection Regulation GDPR Definition 2018
GDPR aims to protect the privacy and personal information of the residents of the countries applied to, in this case, the European Union, and its 28 countries, through a high set of standards on the law.
Firm guidelines when gathering and processing personal information on their residents.
To be more direct answering the question of what is General Data Protection Regulation or GDPR, then I think you should know that they care about your personal data( if you reside in the European Union).
Personal data protection by itself is defined as any number, information or any other physical or psychological identifying or identifiable factors to a natural person, also known as Data Subject.
Some key changes on the same law that are also known as an expansion to the old ones, are as below.
- Consent – One of the key all of us will love, is the new strengthened consent regulations. Unlike the old ones, the new consent from the companies shall not be filled with authoritative language, complicated terms and conditions. Instead, the document will be intelligible, easy to read and understand. At the same time, it should be distinguished from other matters and regulations, as well as to be easily accessible and comprehensible, with the customer having the right to withdraw the same as easy as once agreed to.
- Extra Territory Applied – The new GDPR rule has wide applicability and it affects every company that has any relation of any form with the personal data of EU residents, even if the company is from outside the Union. The new rule also requires from outsourcing businesses to appoint a representative inside the European Union.
- New Penalties – A new rule over fines for the companies who breach the rules has been made, the same supposedly to go as high as $20 million or 4% of total global turnover. The new law enforcement took place not longer than 2 months ago, however, the approval of it happened as early as April 2016, enough time this for the companies to line on the track.
There are also unique rules made on data subject rights. Let’s take a look!
- Breach Notifications – In all the European Union states, there has to be a strict notification on the data breach that will let the individual know of any suspicious activity happening surroundinng their data privacy as “ a risk on rights and freedoms”. The same should be approached within 72 hours, without any delay.
- Accessibility – Starting from April of 2018, just months ago, every resident of the European Union has the right to access their personal data from the data controller, for the latter to give transparent information on how, where and for what purpose is the data subject used for. A drastic change this to previous law, giving everyone the right for to their own data processing information.
- Right to Withdraw – Article 17 of the GDPR new law states that the individual has the right to be forgotten. Meaning it has the right to withdraw the data from the data controller. The act of erasure of one’s data means the data will no longer be relevant or original processing purposes, hinders further spreading of the same or halting by the third parties. The right to withdraw is only disputable in the cases if “ the availability of the data is in the public interest”, as the law states.
- Portability of the Data – The individual has the right to ask for their personal data from the data controller, previously known as “machine-readable format” and to transfer the same to another controller.
- Privacy by Design – The article requires the Privacy Rules to have their own place from the onset of a system designation, and not just merely an addition. The same requires the controllers to keep only the indisputably necessary data rules and regulations for finalizing its duties, also known as data minimization. The rule goes on to minimize the accessibility to personal data subject by those needing to process them.
- Data Protection Supervisors – The new GDPR doesn’t require submitting a registration to each local DPA before data procession nor the request for transfer approval regarding Model Contract Clauses( MCC), as did the old rule. Instead, GDPR requires extra requirements when keeping records, which I will explain more below, while DPO shall remain compulsory only in most sensitive cases, sizeable scales or special categories such as criminal offenses or related activities. Moreover, the Data Protection Officers( DPO) are required to the follow specific rules I will show you below.
- They must have contact details reported to the local DPA.
- Must have close relation or be part of the staff of DPA or their service providers.
- Must be provided with proper and accurate training on their duty before being able to execute it themselves.
- Is required to report to the main head of management directly.
- The DPO must solely be focused on his duty and not be involved in any other task at the same time, even the less to one resulting to a conflict of interest.
- Should be experts on data privacy protection rules and regulations and appointed mainly because of their professional qualities.
What does this mean to US, Canada or Australia?
Even though GDPR was intended for residents of European Union Member States, taking in consideration the enormous fines for breaching the GDPR, most of the big-name companies functioning all over the world are lining themselves up to avoid such a fine, as the rule finds application to any company that collects data from EU residents on any circumstance.
Changes these that will be enabled to the US, Canada or Australia residents as well,as part of the company rules and regulations.
Does GDPR apply to a US-based business?
Even if your company is all about US residents and you have absolutely nothing to do with business from Europe, your company could still be affected by the rule. How?
The effect can take place very easily. All you need is a purchase, donation or simply a subscription to your website by a European Union Member States resident, and the data collected, makes GDPR applicable to your company or organization, eventually.
What does GDPR mean to my small business?
In a recent study made recently, the percentage of small businesses not adapted to the law is shocking. I am talking about over 80% of them not in compliance with the rules yet, and if that is you, then it can have devastating effects on your company or organization, whatever small it is.
If you need a legal advice on the matter, it is highly recommended for you to contact an expert in the field you can trust.