General Data Protection Regulation (GDPR) has finally arrived, but what is it?
GDPR is a series of data protection reforms set out by the European Commission. At its core, GDPR is designed to give citizens of the European Union more control over their personal data. These reforms come in the form of new established laws and regulations regarding privacy and the use of data. One regulation that has been established as the result now requires companies to obtain an individual's explicit permission regarding the use of their personal data.
The purpose of GDPR reforms is to ensure that data will be gathered under strict conditions and that the host of the data will take the necessary precautions to properly safeguard it. Any organization found to be misusing consumer data will be forced to pay fines ranging from 20 million euro to four percent of the company’s annual global turnover for not doing so. The fines will be determined based on the severity of the breach and what steps the organization took to ensure the proper storage of data.
Organizations must now inform the consumer how their data will be used in a clear and understandable manner. Consumers will be provided an opt-out which offers additional freedoms for those who no longer want their data to be stored. Any data that is stored from that point must be used for the purposes that were explicitly stated in the original agreement. Any further uses outside the scope of the original agreement must seek further consent.
What does it mean for your organization?
GDPR will apply to any organization doing business within the EU, which means any organization wanting to enter the European market will need to prepare for compliance. This would also explain the updates to privacy policies that have been flooding inboxes in the past few weeks as companies have rushed to update their data processing agreements (DPA).
GDPR ultimately places the majority of legal obligations on the processor to maintain records of personal data and how it is processed. In doing so GDPR provides a much higher level of legal liability should the organization be breached.
A processor is a "person, public authority, agency or other bodies which processes personal data on behalf of the controller".
Safeguards will be built into products and services from the earliest stage of development, providing data protection by design.
The privacy reforms will help streamline the rules across the continent into a single set of rules which, in theory, should make it easier and cheaper for business to operate. "By unifying Europe's rules on data protection, lawmakers are creating a business opportunity and encouraging innovation," the Commission says.
Additionally, the commission says that due to regulations data protection and safeguards will be built into products and services from the earliest stage of development, providing data protection by design in new products and technologies.
What happens if a data breach occurs?
In the event of a data breach, organizations will be required to notify the appropriate national bodies as soon as possible in order to ensure EU citizens can take appropriate measures to prevent their data from being abused. Any organization that has been breached will now be required to deliver a notification that includes the information such as the type and quantity of data leaked. The organization must also include the potential repercussions and how they are working to deal with them while also providing a point of contact to a data protection officer dealing with the breach.