You must have noticed that your inbox is flooded with emails from companies asking for your permission or talking about GDPR rules. Naturally, it’s quite overwhelming. But then, you must be wondering what all this buzz about GDPR is? What is it? Why do we even need it?
Calm down, sip some lemon water and read to know more.
What does GDPR even stand for?
General Data Protection Regulation.
How did it come into the picture?
The GDPR law supersedes the 1995 Data Protection Directive, and this law is meant to set down ground rules for the digital era across Europe. On January 2012, the European Commission determined to set out plans for the data protection reform across the European Union. After years of preparation and debate, GDPR was passed unequivocally by the European Parliament in April 2016.
The GDPR Law is already in motion from May 25th, 2018 and organizations across the globe are entitled to abide by it. Also, it was mandatory for the member nations to have included the law into their national law by 6 May 2018.
But first, let’s understand what GDPR is?
“The General Data Protection Regulation (GDPR) (EU) is a new regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA).”
The GDPR law primarily gives control to citizens and residents over their data. It also means to simplify the regulatory environment over data for business so that both the citizens and companies can reap benefits.
The reform was the need of the hour as the world goes digital. Primarily, our lives revolve around data from social media companies to banks, retailers, and governments. And as all these data accumulates in massive amounts, there’s a need for a law which safeguards personal data, privacy, and consent.
What is GDPR compliance?
Under the terms of GDPR, the organizations must ensure that personal data is gathered legally under strict conditions and the user is well informed. Unexpectedly, if there’s a data breach – information are bound to land on to hands of people which was the never the goal. However, if there’s a breach, the organization is liable to report such breaches which are likely to put the user at risk to the rights and freedoms of individuals and leads to various consequences. It is also applicable to those who collect and manage to protect it from any such exploitation.
Under the GDPR provisions, the companies are expected to implement appropriate technical and organizational measures to cut down such data breaches. There are hefty penalties if organizations fail to comply with the GDPR reform.
What is a GDPR breach notification?
If there’s a breach, there has to be informed via a breach notification. The victims have to contacted individually and not just through a press release, social media sites or any other means.
The breach should also be reported to the relevant supervisory body within 72 hours immediately after the organization was aware of it.
Failure to comply with GDPR law can result in a hefty fine ranging from 10 million euros to four percent of the company’s annual global turnover, which could be billions for some organization. The severity of the breach and the measures taken to curb data breaches will determine the extent of the fine.
What are the organization that comes under GDPR’s reform?
GDPR applies to every organization operating within the EU, as well as to the ones that offer services to customers or businesses in the EU. Ultimately, it ensures that all the major companies in the world need to abide by the law as GDPR came into effect. According to the article 4 of the General Data Protection Regulation, it offers two different types of data-handlers the legislation applies to: ‘processors’ and ‘controllers.’
Will there be any impact of Brexit on GDPR?
The UK is set to leave the EU on 29 March 2019, a little over ten months after GDPR comes into force. According to the UK government, this won’t impact the enforcement of GDPR in the country. So, technically Brexit is unlikely to have any impact on an organization’s GDPR compliance requirements.
What is considered as personal data under the GDPR reform?
Data like name, address, and photos. GDPR extends the definition of personal data to an IP address, which can be considered as personal data. It also includes sensitive personal data such as genetic data, biometric data which could be processed to identify an individual uniquely.
What can the citizens/ consumers expect from the GDPR law?
Over the years, there have been severe issues of Information breach in organizations which led to the exposure of various level of personal information online. GDPR is designed to provide consumers with the right to know the need for their data and how it is going to be used by the organization. Also, the customer should have an easy way of opting out of from their mailing list.
GDPR also sets to bring ‘right to be forgotten’ process, which provides additional rights and freedoms to people who no longer want their data to be available, ensuring there are no grounds for retaining it. Organizations need to keep a close check on the consumer rights.
What does GDPR mean for businesses?
GDPR establishes one law across Europe which puts into motion a and a single set of rules to companies doing business within EU or offers any such services to the EU citizens, irrespective of their location. GDPR also emphasizes on the fact that the law is just not restricted to only EU borders but transcends beyond it as well.
Organizations will also be encouraged to adopt techniques like ‘pseudonymization’ while the privacy of their customers is protected at the same time. Also, they are encouraged to appoint a Data Protection Officer (DPO) if it carries out large-scale processing of particular categories of data, carries out large-scale monitoring of individuals such as behavior tracking or is a public authority. Failing to appoint a data protection officer, by an organization, could also count as non-compliance and results in a fine.
So, what are your thoughts on GDPR? Share with us in the comments section below.