The GDPR is one of the biggest reforms in Data Protection regulation this year and it is expected to impact a large number of technology firms around the world including Facebook and Google.
Here is a quick guide to GDPR.
What is GDPR?
General Data Protection Regulation (GDPR) is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. The GDPR also regulates the exportation of personal data outside the EU. This means that companies outside of the region will have to comply if they offer goods or services to, or monitor the behavior of people in the region.
This legislation was approved in April 2016 and replaces a previous law called the Data Protection Directive, which came into effect in 1995 (a long time before the internet became the online business hub). The European authorities have given companies two years to comply and it will come into force on May 25, 2018.
Even though the provisions are consistent across the E.U. states, the standards are high and will require most tech companies to make a large investment to meet and to administer.
Key Policies
The main objective of GDPR is to give consumers control of their personal data as it is collected by companies. The earlier directive was outdated. With the growth of internet online business, it became important for the regulators to enact a new law. In recent times, there has also been a concern public concern over privacy.
The following are the types of data that the GPDR protects:
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
One of the major focus is that the conditions of consent are strengthened. Consent must be voluntary, specific and unambiguous. Companies will not be able to bundle consent for different things together and cannot give vague statements about data sharing. The consent can also be easily withdrawn.
For children under 16, a person holding “parental responsibility” must opt-in to data collection on their behalf. To comply with this, WhatsApp is banning anyone under 16 years old from using its app in Europe.
In case of a breach of data, it is mandatory for companies to notify their data protection authority within 72 hours of first becoming aware of it. They will have to inform the users within 72 hours.
Many large online services and social media companies have updated their privacy policies and terms of service in order to prepare for the new legislation.
Roles and Responsibility
The GDPR defines several roles that are responsible for ensuring compliance: data controller, data processor, and the data protection officer (DPO).
- The Data Controller defines how personal data is processed and the purposes for which it is processed. The controller is also responsible for making sure that outside contractors comply.
- Data processors may be the internal groups that maintain and process personal data records or any outsourcing firm that performs all or part of those activities. The GDPR holds processors liable for breaches or non-compliance.
- A Data Protection Officer (DPO) is a mandated role for any company storing and processing EU residents’ data. It’s the designated person to educate the company, ensure GDPR compliance, and be the contact point for regulators if there are concerns or violations.
An organization in breach of GDPR laws will be fined up to 4% of annual global turnover or 20 million euros ($24.6 million), whichever is bigger.
The GDPR is set to completely change how businesses and consumers can process data. The GDPR is a good wake-up call to businesses that have long neglected to protect their companies, but it’s also one of the biggest changes to the digital that we’ll see for many years.