GDPR stands for General Data Protection Regulation. Where did it come from? In January 2012, the European Commission launched data protection reform across the European Union in order to make Europe ‘fit for the digital age’. It took almost 4 years for the agreement to be finally reached on what it concerned, and how it should be reinforced. General Data Protection Regulation (GDPR) is the key element of this reform, and it applies to the organizations in all member-states, as well as individuals and businesses in Europe and beyond its borders.
The common standards of data protection were introduced to help people control their personal information and make a solid foundation for trustworthy digital future of Europe and the rest of the world.
What is GDPR?
In its essence, GDPR is a new range of rules created to give EU citizens more control over their personal information. It’s created to optimize regulatory management for business and citizens in European Union so that they could reap maximum benefits from the digital economy. The reforms concern the laws and obligations connected with personal data, privacy, and consent.
Basically, any aspect of our lives is connected with personal data starting from banks and governmental bodies finishing by social media: almost any service we exploit does collect and analyze our personal data (email, credit card number, etc.). This data is gathered, analyzed and stored by organizations.
What is GDPR compliance?
Data breaches cannot be avoided: the information gets lost, compromised or stolen by people with malicious intent. GDPR not only ensures that companies collect personal data carefully and legally, but also obliges them to protect data against misuse and exploitation, and respect the rights of information owners. Otherwise, organizations are penalized.
Who does GDPR apply to?
GDPR is applicable to any organization registered in the EU, or any organization outside EU that offers products or services to customers or businesses in the EU. Therefore, any big enterprise and corporation in the world should comply with GDPR strategy.
There are two categories of data-handlers according to legislation: ‘controllers’ and ‘processors’ (these terms are described in Article 4 of the General Data Protection Regulation). A controller is “person, public authority, agency or another body which, alone or jointly with others, determines the purposes and means of processing of personal data”, while the processor is “person, public authority, agency or another body which processes personal data on behalf of the controller”. That means that even if you comply with the UK’s Data Protection Act, for instance, you will still have to comply with GDPR, too.
“You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR,” says the UK’s Information Commissioners Office, the authority responsible for registering data controllers, taking action on data protection and handling concerns and mishandling data.
The new GDPR places various legal obligations on a processor to store records of personal info and how it can be processed. Consequently, there’s a much higher level of liability for breaching of data and violation of the laws. Controllers need to make sure that the contracts with processors are concluded according to GDPR.
What is considered to be personal data under the GDPR?
The following types of data are considered to be personal:
Additionally, GDPR considers IP address and information alike as the personal data, as well as genetic data, biometric data (that’s used to identify the individuality).
When does GDPR come into force?
GDPR has been applied across the European Union starting from 25 May 2018, and all member nations were expected to have transferred it into their own national law by 6 May 2018. After years of debates, GDPR was approved by the European Parliament in April 2016, and the regulations were published in May 2016.
What’s the GDPR compliance deadline?
All organizations are expected to be ready for compliance with GDPR by May 25, 2018.
How does Brexit influence GDPR?
The UK is expected to leave the European Union on 29 March 2019, 10 months after the introduction of GDPR into force. However, the UK government has claimed it won’t hinder the use of GDPR over the country, and that GDPR will work despite the fact UK will stop being an EU member.
Will GDPR change businesses?
Since GDPR establishes one and the same law across the continent, all the same rules will be obligatory for companies having business in EU member states. Therefore, the legislation extends beyond the edges of Europe, and the organizations that have offices and affiliates on the territory of EU still should comply with GDPR.
The European Commission admits that having a single supervisory authority for the entire EU is a cheaper and more efficient way of operating business in the region: it can save €2.3 billion per year across Europe.
The regulation will ensure data protection that’s inbuilt into services and products at the first stages of their development (it will be provided ‘by design’). Besides, organizations will be motivated to provide such technologies as ‘pseudonymization’ to benefit from analysis and collection of personal data. At the same time, customers’ privacy will be protected.
What does GDPR mean to me?
Since data breaches and cyber attacks have become widespread during the last years, a lot of personal data, including email address, password, social security number, personal health records, has become exposed on the Internet.
One of the main changes GDPR has brought about is the right of the customer to know when their data has been hacked. If data breach happens within an organization, it has to notify the appropriate national bodies about the incident as soon as possible so that the EU citizens could take the appropriate measures to prevent abusing of their data.
In such circumstances, a customer should easily find out which details are being on the mailing list. Some companies have warned their customers that need to do more to ensure GDPR compliance, particularly when the consent is involved. Another right rendered by GDPR is the ‘right to be forgotten’ process, when people who don’t want their personal data to be processed that may have to ask it to be deleted by proving there’re no reasons for retaining it. Organizations should guarantee consumer rights as soon as GDPR is established.
Can a privacy email be a scam?
Companies of all sectors send customers emails asking them to agree to receive messages and other marketing materials. If a customer wants to remain on the list, they just need to click a special part of the email. However, mass sending of GDPR-related email have given criminals and scammers the opportunity to send phishing emails to people.
What is a GDPR breach notification?
As soon as GDPR is introduced, all organizations will be obliged to report about the information breaches, including the ones involving unauthorized access, or loss of personal data to the relevant supervisory authority. Sometimes organizations must also inform individuals about the data breach. Such cases include the breaches that can pose risk to the rights and freedom of an individual that leads to damage to reputation, financial loss, discrimination, or any other social or economic negative outcome.
If the customer data has been hacked, the organization is obliged to disclose this fact. Therefore, if your name, address, date of birth, payment card credentials, bank details, health records, or any other personal data has been breached, the organization is obliged to inform the affected people as well as the relevant regulatory body so that to take timely measures.
The breach notifications should be delivered directly to the victims. Such information cannot be delivered via social media, press releases, or on company’s website. This should be vis-a-vis one correspondence with people affected.
When should an organization report the notification about a breach?
The breach must be reported to the relevant supervisory body within 72 hours after the company has become aware of it. However, if the breach is serious enough to cause significant damage to the public, it should be reported without ‘undue delay.’
What are the GDPR fines and penalties for non-compliance?
If a company fails to comply with GDPR, it will be fined from €10 mln to 4% of its global annual turnover (which means billions for some companies). The fines depend on the seriousness of the breach, and whether the company has tried to take the compliance and regulation measures in a serious manner. The maximum fine is €20 mln, or 4% of global turnover (depending on which is greater) is applied in case of right infringement, the unauthorized passing of personal data, ignorance of subject access requests, failure to perform the necessary procedures.
A lower fine of €10 mln or 2% of global turnover will be used for companies that mishandle data, for instance, don’t report a data breach, failure to introduce privacy by design and protect data in the first stage of a project, failure to appoint a data protection officer.
What should a GDPR-compliant breach notification include?
If a company loses data due to a cyberattack, human error, or some other events, it is obliged to send the data breach notification to the clients. The notification should include the approximate data breach details, such as the type of information and the number of people compromised, as well as the results of the incident and the number of data records affected (there can be several sets of data related to one individual).
Aside from that, a company should provide the description of the potential outcomes of the data breach, including stealing of money, or identity fraud, as well descriptions of actions taken to eliminate the negative consequences that might have affected users. Additionally, the contacts of the corresponding data protection officer will be provided.
Is there need to appoint a Data Protection Officer?
According to the terms of GDPR, a company must appoint a Data Protection Officer (DPO) in case it processes a specific type of data, performs large-scale monitoring of people (for instance, behavior tracking), or is a public authority.
As for public authorities, a single Data Protection Officer can be appointed for a group of organizations. Although appointing a DPO is not obligatory for all organizations outside from those mentioned to appoint a DPO, they need to ensure they possess enough skills and personnel to comply with GDPR rules.
There are no certain criteria of who can be a DPO, or which qualifications such person should have, but these people should have professional experience and data protection law proportionate to the organization’s activity, as stated by the Information Commissioner’s Office.
The absence of appointed DPO, if it’s required so by GDPR, is considered as non-compliance, which is why companies without DPO can be fined.
What does GDPR compliance look like?
Although GDPR may seem to be complicated, for the most part, its legislation is built on principles that lie in the foundation of a part of the UK’s Data Protection Act. At the same time, there are some new elements in GDPR, for instance, breach notification and having a person responsible for information protection, and the risk of a fine.
There is no versatile approach to preparing for GDPR introduction. Every organization should check what exactly should be achieved to comply with GDPR, and who will be in charge of data control when the compliance is being organized.
The measures taken should minimize the risk of data breach and ensure the excellent protection of personal data. For some organizations, it means taking drastic measures, but others already have good practices for data protection in place. That may be the responsibility of one individual in a small business, or of the entire departments in a huge corporation. In all cases, a company should consider the budget, system, and personnel to make things work.
Under the GDPR rules related to governance and accountability, companies have to implement corresponding technical and management measures. They include data protection policies (training of personnel, internal audits of processing practices, revision of HR policies), and keeping documentation on processing activities. Other strategies the companies can implement is data minimization and pseudonymization, e.g. allowing individuals to check to process.
When preparing for GDPR, bodies such as the ICO offer general guidelines on the things that should be taken into consideration. The organizations will need to make sure they have taken all necessary measures for GDPR compliance by May 25, 2018, or risk being punished for non-compliance.
What has changed after GDPR introduction?
Before GDPR came into force, the companies started sending customers emails asking them to give their consent to the new policies, or unsubscribe. Emails were so abundant, that many users were embarrassed. Some platforms restricted access to European users.
Some European users trying to access US-based websites were not able to open them, and publishers pointed to GDPR as the reason for it. However, it seems to be a temporary problem – companies are searching for ways to establish full compliance with the new rules. Denying users access to products is a temporary measure taken to avoid potential fines.