GDPR means General Data Protection Regulation
On 25 May 2018, after seven years in preparation, the General Data Protection Regulation, or just GDPR, entered into force. It affects multiple areas of life and business: from technology and medicine to advertising and banking. This regulation does not concern only EU citizens and companies.
The new regulations, above all, has widely expanded the “personal data” definition.
Business owners have to learn the difference between the data controller and data processor. If your firm collects data from EU residents, your firm is a data controller. If a company processes data on behalf of a data controller, this organization is a data processor. Nevertheless, one organization can act as both a data controller and data processor.
The new rules regulate companies’ monitoring of the data subject. For instance, monitoring of EU residents online (including cookies), or use of data processing methods for profiling of individuals and their behavior.
Data processing and GDPR
Legitimacy, justice, and transparency — all the information on the objectives, methods, and volumes of personal data processing must be expressed as accessible and simple as possible.
Purpose limitation — users’ (company employees) data can only be collected in terms of claimed and declared purposes.
Data minimization — organizations are not allowed to collect more data than they need for their stated objectives’ achievement.
Accuracy — inaccurate personal data must be removed or corrected at the request of the user.
Limited retention — periods and forms of data storage must comply for processing purposes.
Integrity and confidentiality — a company that processes personal data, must ensure they are protected from unauthorized access, destruction, or damage.
Key provisions of GDPR
GDPR has substantially expanded the rights of EU citizens and residents:
- the data subject has the right to request a confirmation that his/her data was processed. Also, a data subject can request any related information, data processing conditions, and require data rectification if there was any inaccuracy;
- rights to erasure — the data subject has the right to obtain the assurance that his (her) personal data has been erased without undue delay (if he/she has requested the erasure of their data);
- right to data portability — a controller must provide a data subject with personal data concerning him (her) on receiving a demand from the data subject;
GDPR is a regulation with extraterritorial effects. It means GDPR applies to all organizations, which process the personal data of EU residents and citizens, regardless of where the organizations are housed. Consequently, foreign companies’ representatives in the EU must be fully compliant with new rules.
This is particularly true for organizations that store and process large amounts of consumer data. Such companies have to designate an individual to conduct compliance monitoring (Data Protection Officer, or just DPO). His/her duties will also include notification of regulatory body and data subjects of any violations detected within 72 hours after their detection.
How to comply with GDPR?
- Conduct a comprehensive assessment of the methods and systems for personal data processing to align them with new GDPR rules;
- Develop domestic policies that strengthened the mechanism for data protection. Also, it is a good practice to conduct training for staff. Scrutiny of their data processing operations would be helpful too;
The failure to comply with GDPR
In case of non-compliance with GDPR, penalties include fines up to €20M or 4% of the company’s turnover for that year.