A Summary of New European Union General Data Protection Regulation
The story of this legislation is to protect the personal data of the EU citizens, including how that data is collected, stored, processed/used, and destroyed once it is no longer needed.
The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years.
EUGDPR.ORG
The main purpose of the regulation is to give individuals enough power to choose how their persnal information is kept, processed or discarded.
GDPR defines personal data as “Any information relating to an individual or identifiable natural person” including names, addresses, telephone numbers, email addresses, credit card details, financial information, medical information, posts on social media websites, biometrics and genetic data, location data, an individual’s IP address and other online identifiers.
The rights afforded to EU citizens and the major GDPR requirements include:
- Data is only collected when there is a legal and lawful reason for doing so
- Obtaining consent before personal data is collected, stored, or processed
- Implementing controls to ensure the confidentiality of data is safeguarded
- Training employees on the correct handling of personal data
- Ensuring individual’s right to be forgotten can be honored and that it is possible to permanently erase all collected data
- Ensuring individuals are informed about how their information will be collected and used, similar to the Notice of Privacy Practices required by HIPAA
- Making sure data transfers across borders occurs in accordance with GDPR regulations
- Putting data breach notification policies in place to ensure EU citizens receive notifications of a breach of their personal data
- May be necessary to appoint a Data Protection Officer
History
The European Union’s parliament approved the GDPR in April 2016, it was entered into force by May 2016 and now the two years grace period will end by May 2018.
GDPR applies to all companies regardless of their physical location, that process and hold the personal data of data subjects (individuals, citizens) residing in the European Union member countries.
GDPR is literally a risk-based framework focusing on PII, personally identifiable information; anything from name, gender and address, to bank account info, even sales and marketing transactions which are collected normally during the course of any typical business interaction.
What is the potential loss of non-compliance?
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million, whichever is greater. This is the maximum fine that can be imposed for the most serious infringements: i.e. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.
Cost of GDPR noncompliance is high but how about more positive incentives to be compliance?
The details of how EU is going to enforce GDPR and how noncompliant businesses are going to be proactively identified is not clear now, but community believes any company around the world that has a Web presence and markets their products over the Web will have some homework to do.
Does your firm need to become GDPR compliance? not necessarily if there is zero business relation with EU, but that is very unlikely for most businesses even in USA.
References
EU member countries
- Austria
- Belgium
- Bulgaria
- Croatia
- Republic of Cyprus
- Czech Republic
- Denmark
- Estonia
- Finland
- France
- Germany
- Greece
- Hungary
- Ireland
- Italy
- Latvia
- Lithuania
- Luxembourg
- Malta
- Netherlands
- Poland
- Portugal
- Romania
- Slovakia
- Slovenia
- Spain
- Sweden
- UK
For details refer to official publications: