Yes, the GDPR affects you, if you:
- have business established in the EU
- offer goods or services to anyone in the EU
- collect, store, transfer or use personal information about European citizens
The General Data Protection Regulation — or the GDPR - regulates and protects the processing of personal information. It outlines new data protection laws and principles that expand the privacy rights, granted to individuals. The GDPR ensures companies to be transparent about the personal data they handle and have a legitimate purpose for using it.
In a nutshell, the GDPR establishes rules on how companies, governments and other entities can process the personal data of citizens who are EU citizens or residents.
The GDPR aims to strengthen and unify data protection laws for all individuals across the European Union. It's a breakthrough directive. In the coming years, more countries are expected to follow the example and place strict obligations on organizations that handle personal information.
While the GDPR was announced in 2012, it took four years for preparation and debate, and was adopted in 2016. The regulation is enforced from 25th of May 2018.
All organizations that are not in compliance with the new data protection changes will face heavy fines.Based on the seriousness of the breach, organizations can face penalties up to €20 million or 4% of annual global turnover.
The fine is a slightly lower (2%) for less severe infringements.
Here is a summary of some of the key changes and requirements to come into effect with the upcoming GDPR:
The GDPR provides expanded rights for individuals. Customers have the right to:
- Obtain confirmation as to whether or not their personal data is being processed, where and for what purpose (Right to Access)
- Access their personal data (Right to Access)
- Correct errors in their personal data (Right to Access)
- Erase their personal data (Right to be Forgotten)
- Object to having their personal data processed (Right to be Forgotten)
- Receive a copy of any personal data stored, and transfer that data to another vendor/controller (Data Portability)
For an organization to have lawful rights to process personal data, they must have obtained agreement or permission from the individual.
Controller - An entity that colects personal data is the Data Controller.
Data Processor - An entity that processes data on behalf of the Controller. For example, а SaaS based CRM platform that stores data for its цlient would be a Data Processor.
The GDPR also requires organizations to implement appropriate policies, protect personal data by using security protocols, conduct privacy impact assessments, and keep detailed records on data activities. The EU GDPR places strict control on where personal data is stored and how it is used.
Under the GDPR, organizations are required to report data breaches to the appropriate authorities if it will “result in a risk for the rights and freedoms of individuals”. The breach notice must be done within 72 hours of first having become aware of the problem. If there is a high risk of harm, organizations must notify any affected data subject as soon as possible.
Data protection officer
Organizations that are involved in regular and systematic monitoring of data on a large scale, or process sensitive personal data, are obliged to employ a Data Protection Officer. The DPO is required to keep straight internal records, to ensure the organization complies with privacy laws, and to report any data breach to the data protection authorities.
Now that you are familiar with the GDPR, why it is important and who does it concern, we will go deeper into the data protection principles in the next few weeks. We will advise on what organizations need to do to prepare for compliance with the regulation, and what are the best practices.
Read on how to meet the GDPR requirements in the article: Best Practices on Meeting GDPR Requirements (+ Free GDPR Compliance Checklist).
Composity is fully committed to achieving compliance with the GDPR requirements.