You would have heard about the European Union Data Protection Regulation(GDPR) law that will take effect on May 25th 2018. The aim of this regulation is to give EU citizens the right to control what information is being collected from them by various businesses. GDPR will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. GDPR will replace the prior EU directive known as Directive 95/46/EC (the “Directive”), which has been the basis of European data protection law since 1995.
What is "personal" data?
Any information relating to an identified or identifiable individual; meaning, information that could be used, on its own or in conjunction with other data, to identify an individual. For example: social security numbers, names, physical addresses, email addresses, IP addresses, behavioral data, location data, biometric data, financial information, and much more. It’s also important to note that even personal data that has been “pseudonymized” can be considered personal data if the pseudonym can be linked to any particular individual. Sensitive personal data such as health information or information that reveals a person’s racial or ethnic origin, will require even greater protection.
How is GDPR different from the “Directive”?
GDPR has introduced several changes in the privacy law. The below are the major changes that are relevant to the site owners and developers.
- Definition of personal data: As explained above, personal data is well defined and any processing of personal data of EU citizens would require to comply with the GDPR law.
- Broader scope: The scope of data protection law is expanded beyond EU and all organizations that process personal information of EU citizens regardless of whether the processing takes place in EU or not.
- Rights of the data subject/Individual: GDPR provides new rights to data subjects or individuals which you should accommodate while processing personal data of EU citizens. Following are some of the significant new rights :
- Right of access: Individuals have the right to know about the processing of his personal data - the purpose of processing, categories of personal data concerned, recipients with whom his personal data is shared, period till when the personal data will be stored.
- Right to rectification: Individuals shall have the right to rectify the incorrect data or complete the incomplete personal data.
- Right to erasure (right to be forgotten): Individual can request to delete all of his personal data collected by the organization.
- Notification obligation regarding rectification or erasure: The individual must be informed about the rectification or erasure of personal data.
- Right to data portability: Individual shall have the right to receive his personal data from one organization and transfer it to other without hindrance.
- Right to object : The individual has the right to object to the processing of his personal data for certain uses - for marketing purposes or profiling.
- Strict consents: As per GDPR, organizations must ensure that proper consent from the individual is received before processing their personal data. This doesn’t mean that you should only ask them for their consent, an individual should also be able to withdraw their consent at any time.
- Breach notification: If there occurs a data breach and if the personal data of the individual is compromised, then the supervisory authority should be informed of the same within 72 hours.
- Penalties: Any individual who has suffered as a result of violation of this regulation is subjected to receive compensation from the organization. Heavy fines will be imposed especially for severe violations of the regulation.
You can download the full pdf from here.
Ignorance is no longer bliss
Be Careful about the excuse that you don’t know the GDPR regulation. Ignorance about the law doesn’t make you escape from the huge penalties of non-compliance. If you would like to know more about how to become GDPR compliant, get in touch with us.