As of the 25th May, some game-changing regulation is going to become effective within Europe. This new form of regulation is called GDPR, (European) General Data Protection Regulation. If you’re a business owner in Europe you need to start reading up and seeking professional help now to get GDPR compliant.
But what is GDPR exactly?
This new form of General Data Protection Regulation within Europe is based on two principles. In particular, these principles are:
- Giving citizens and residents more control of their personal data.
- Simplifying regulations for international businesses with a unifying regulation that applies to all international businesses across the European Union.
The aim of GDPR is to safeguard citizens from their data being used maliciously or without their permission. GDPR was introduced to specify how consumer data should be used and protected.
GDPR applies to everyone involved in processing data about individuals in the context of selling goods and services to citizens in the EU, regardless of whether the organisation is within the EU.
What are the requirements to comply with GDPR?
- Consent: When obtaining consent for data use, companies must provide very easy and simple to read terms and conditions. It must also be as easy to withdraw your consent as it is to give it.
- Data Breach: In the event of your data being breached, data processors have to notify their controllers and customers of any risk within 72 hours.
- Right to Access: Subjects of the data, like me and you, have the right to obtain information from the data controller of whether their data is being processed. Data controllers also have to provide an electronic copy of personal data for free to subjects.
- Right to be forgotten: Once data is no longer needed for its original purpose, data subjects can tell the data controllers to erase their information.
- Data Portability: Individuals can obtain and reuse their personal data for their own purposes by transferring it across different IT environments.
- Privacy by Design: This is a call for the inclusion of data protection from the onset of designing systems, implementing appropriate technical and infrastructural measures.
- Data Protection Officers: Within public authorities and organisations that have over 250 employees, professionally qualified officers must be appointed for systematic monitoring or processing of sensitive personal data.
If a company doesn’t follow these regulations what can happen?
If a company doesn’t comply with GDPR, fines can go up to 4% of their Global Revenue or up to €20 million, and similarly 2% or €10 million. A company can be fined up to 2% for simply not having their records in order.
When a GDPR breach notification is received, the company is required to do much more than simply put their hands in the air and take the blame as we’ve seen with the Cambridge Analytica scandal the EU is not happy with. The company will need to provide categories of data, records touched and approximate numbers of data subjects affected.
Do you think our data is safe enough in the hands of so many companies? Tell us in the comments below.