What is GDPR?
Sharing personal data has become our everyday life. All of us buy things on internet, share photos, documents, contact details, pay by credit card online etc. But are all those data protected? This is the question that has been asked and answered by the EU – by adopting new European privacy regulation called GDPR in April 2016. Under this article, we will explain a little bit further what is GDPR and how will it affect doing business in Europe. The regulation will take effect after a two-year transition period. In May 2018 and will permanently change the way customers data are collected, stored and used.
The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in last 20 years - and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. GDPR will appliy to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. Term “Personal data” is defined like all the data that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
According to GDPR, every company must give those rights to private individuals:
The right to access –this means that individuals have the right to request access to their personal data and to ask how their data is used by the company after it has been gathered. The company must provide a copy of the personal data, free of charge and in electronic format if requested.
The right to be forgotten – if consumers are no longer customers, or if they withdraw their consent from a company to use their personal data, then they have the right to have their data deleted.
The right to data portability – Individuals have a right to transfer their data from one service provider to another. And it must happen in a commonly used and machine readable format.
The right to be informed – this covers any gathering of data by companies, and individuals must be informed before data is gathered. Consumers have to opt in for their data to be gathered, and consent must be freely given rather than implied.
The right to have information corrected – this ensures that individuals can have their data updated if it is out of date or incomplete or incorrect.
The right to restrict processing – Individuals can request that their data is not used for processing. Their record can remain in place, but not be used.
The right to object – this includes the right of individuals to stop the processing of their data for direct marketing. There are no exemptions to this rule, and any processing must stop as soon as the request is received. In addition, this right must be made clear to individuals at the very start of any communication.
The right to be notified – If there has been a data breach which compromises an individual’s personal data, the individual has a right to be informed within 72 hours of first having become aware of the breach.
Last but not the least – every organization for breaching GDPR can be fined up to 4% of annual global turnover or €20 Million, so there is still enough time until May 2018 to align with new regulations.