What Is All the Fuss About the GDPR?
What is the GDPR?
The General Data Protection Regulation (GDPR) is the set of standards imposed by the European Commission intended to strengthen and unify data protections for individuals in the European Union (EU). The primary goal of the GDPR is to primarily give EU’s citizens and residents back control on their personal data and to provide standards for how businesses within the EU or interact with EU collect and manage that data.
The 11-Chapter Regulation applies to all EU Member States as well as foreign entities that capture data about EU citizens/residents or export that data outside of the EU.
Overview of the GDPR
Under the GDPR, EU citizens and residents will have the right to question and fight decisions made about their data. The individual’s consent must be explicit and unambiguous based on specific purposes and specific periods of time. The individual has the right to request a copy of all the data gathered with an explanation of how the data is used and if any third party has access. Individuals can request their data profile to be passed to another data processor. Individuals can also withdraw their consent and request data to be deleted.
The GDPR also places restrictions and requirements on the data controller about matters such as security and confidentiality. Data minimization or pseudonymization are expected to help minimize ways to identify the actual individual’s identity. The Regulation also addresses data breaches and their notification expectations.
Who is Impacted by GDPR?
The GDPR is applicable to all EU member states. Each member state will establish its own independent supervisory authority (SA) to investigate complaints and address violations. However, the member states will cooperate with each other and organize joint operations for compliance. If a business has multiple locations, it will answer to a single lead authority SA located where its main activities take place.
The Regulations also applies to all non-EU companies that collects, stores, or processes data of EU residents and citizens. And, the GDPR is applicable for any EU or foreign company collecting data on EU citizens regardless of where those customers are physically located.
When to Comply with the GDPR?
The GDPR was adopted on April 27, 2016 and goes into effective on May 25, 2018. It is directly binding and does not require individual governments to pass enabling legislation.
What are the Penalties for GDPR violations?
Sanctions ranging from warnings to multi-million Euro fines can be imposed. First infractions of non-intentional noncompliance are more likely to result in a warning and periodic audits. Certain infractions can incur a fine of up to 10M Euros or 2% annual turnover of the previous financial year, whichever is greater. Other infractions could warrant a fine of up to 20M Euros or 4% of the previous financial year’s worldwide turnover, whichever is greater.
Individuals that suffer damages by these violations can also claim financial compensation.
In summary, the GDPR could impact almost every business that collect any data and the penalty for non-compliance could be significant. Data and business solutions must take these binding standards into consideration when designing and updating their data management policies and systems.