The GDPR: 5 Questions Answered
In a rapidly evolving digital world, privacy issues concern both businesses and individuals. The European Union is addressing these concerns with a new rule called the General Data Protection Regulation (GDPR), harmonizing privacy laws throughout the EU and mandating a greater level of protection for citizens’ data.
What does the GDPR say?
The GDPR is a complex regulation. Simplified, it mandates the following:
- Consent: Consent to data collection must be given in a straightforward, easily accessible form. Withdrawing consent must be as easy as giving it.
- Breach Notification: Notifications for data breaches are mandatory.
- Right to Access: The user has the right to learn whether and for what purpose personal data is being processed by an organization and to receive a copy of that data free of charge.
- Right to be Forgotten: Subjects of data collection have the right to have all their personal data erased if they withdraw consent or the data is no longer relevant.
- Data Portability: The subject has the right to receive personal data in a commonly readable format to transfer it.
- Privacy by Design: Systems must be designed with data protection as an essential element from the onset rather than an addition later.
- Data Protection Officers: While it is no longer required to submit data processing activities to local Data Protection Officers (DPAs), there are now internal recordkeeping requirements to ensure systematic monitoring of sensitive data.
Why is the GDPR important?
Many GDPR provisions already exist in legislation in various countries. The GDPR allows these rules to be standardized across the EU and to apply to non-EU data processors interacting with EU citizens’ data. With its focus on transparency, the GDPR mandates a previously unknown level of individual visibility into and control of personal data, intending to protect the data of EU citizens and safeguard their privacy rights.
Who does the GDPR impact?
Called “increased territorial scope,” one of the major provisions of the GDPR is that it applies not only to EU organizations but to any processor of EU citizens’ data for exchanging goods and services or monitoring behavior. This is true regardless of the organization’s physical location and is not predicated on the exchange of money.
What are the penalties for non-compliance?
GDPR non-compliance is subject to a tiered fine approach. Penalties may be up to 4% of annual global turnover or €20 Million. Penalties apply to both data processors and controllers—the “cloud” is not exempt.