GDPR: the new sheriff in town!
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.
What is GDPR?
At its core, GDPR is a new set of rules designed to give EU citizens more control over their personal data. It aims to simplify the regulatory environment for business so both citizens and businesses in the European Union can fully benefit from the digital economy.
The GDPR applies if:
- Your company processes personal data and is based in the EU, regardless of where the actual data processing takes place; or
- Your company is established outside the EU but offers goods or services to, or monitors the behavior of, individuals within the EU.
What is personal data under the GDPR?
Personal data is defined as any information related to a natural person or data subject that can be used to identify the person directly or indirectly.
Some key points to note in respect of GDPR:
Organizations must maintain a Personal Data Breach Register and, based on severity, the regulator and data subject should be informed within 72 hours of identifying the breach.
Fines for breaches of certain important provisions can amount to up to €20 million or 4% of global annual turnover, whichever is the greater.
Individuals’ rights under the GDPR
All individuals in the EU will have the following rights with regards to their personal data:
- Individuals have the right to be informed about the collection and use of their personal data.
- Individuals have the right to access their personal data.
- Individuals have the right to request the restriction or suppression of their personal data.
- Individuals have the right to obtain and reuse their personal data for their own purposes across different services.
- Individuals have the right to object to the processing of their personal data in certain circumstances.
- The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete.
- The GDPR introduces a right for individuals to have personal data erased. The right to erasure is also known as “the right to be forgotten“.
Do we need to appoint a Data Protection Officer (DPO)?
Under the GDPR, an organization must appoint a DPO if:
- It is a public authority (except for courts acting in their judicial capacity).
- Its core activities require large scale, regular and systematic monitoring of individuals (for example, online behavior tracking).
- Its core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offenses.
Ready to comply?
Obviously, tech giants such as social media networks, google, amazon are the most affected parties. However any other company operating in Europe or providing services to EU citizens must comply. And with fines reaching €20 million, the cost of not complying with GDPR is far greater than any investment to be made in order to comply with it.
Contact CIATEC today, to have all your information security processes are in complaint with GDPR.
