What is GDPR? (General Data Protection Regulation)

General Information General Data Protection Regulation (GDPR)

With just around 130 days left for the implementation of General Data Protection Regulation (GDPR), it’s time for companies who collect customer information to update their data controller systems. GDPR will be applied to all European Union member states to streamline a uniform data privacy law across Europe. This is being implemented to give the people more control over how their personal data is being used by any third party or by any service provider, especially online in websites. It has been a couple of years now that GDPR was adopted and under evaluation before actual roll out, which is scheduled on 25th May’2018. It will supersede the existing Data Protection Directive of 1995. GDPR implementation is set to bring out more trust in the digital economy as the earlier directive was set out when digital economies were limited.

The GDPR regulation, once effective, will mandate all businesses to safeguard and protect privacy and personal data of EU residents for transactions occurring within the EU member states. GDPR will not only be applied to organizations located within the EU member states but it will also apply to all companies providing supporting functions to these organizations and collecting data of EU inhabitants regardless of the organization’s location.

GDPR raises a lot of questions. A common question that may arise to many of us is – what is the kind of data that will be protected under this regulation? The issue is that any personal data or information about a person that can serve to identify the person either directly or indirectly like name, photograph, computer’s IP address, posts on social networking sites, email addresses, medical information, bank account details, policy details, etc. will be protected under the General Data Protection Regulation. GDPR also strengthens the conditions for the consent of personal information collection. Long illegible terms and conditions consisting of legalese will no longer be accepted. The request for consent must be provided in a clear and an easily accessible form using unambiguous plain language. To process personal data of minors, parental consent will be required.

The implementation of GDPR bestows the data subjects with the right to access whereby they can obtain confirmation from the data controller on processing of their data, right to be forgotten which entitles the subjects to have the data controller to erase their data completely and data portability which allows them the right to transfer their data to another controller.

Privacy by design has also become a legal requirement with GDPR which make it a necessity to include provisions for data protection from the time of designing of the systems rather than as an upgrade later. Non-compliance to GDPR could cost companies huge amounts of money under data privacy laws, nearly almost 4% of their annual turnover or 20 million Euros as fine depending on the severity of the infringements. The regulation applies to all, from data controllers to data processors. This means that even cloud computing falls under the acumen of GDPR. If you are a resident of the EU, especially a business holder dealing with customer data, or you do business in the European Union, then it is high time for you to get your cyber security compliance updated as per the global data privacy standards.