Since the General Data Protection Regulation (GDPR) was passed in May of 2018, there has been a lot of confusion about what it actually means and how it will be enforced. This article is meant to provide a better understanding of the GDPR and dispel some of the myths that have been circulating since its passage.
The 7 principles of GDPR
The General Data Protection Regulation (GDPR) was introduced in May 2018 as a response to the UK’s General Data Protection Regulation (GDPR). The GDPR replaces the 1995 EU Data Protection Directive and will apply in all EU member states from 25 May 2018. The directive has also set out the 7 principles of GDPR relating to the processing of personal data. These principles are:
- Lawfulness, fairness, and transparency: personal data must be collected and processed in a transparent, fair, and lawful manner.
- Purpose limitation: personal data may only be collected for specified, explicit, and legitimate purposes.
- Data minimization: personal data must be adequate, relevant, and limited to what is necessary for the purposes for which it is being processed.
- Accuracy: personal data must be accurate and kept up to date where necessary.
- Storage limitation: personal data must not be stored for longer than is necessary for the purposes for which it was collected or processed.
- Integrity and confidentiality: personal data must be kept safe and secure from unauthorized access, alteration, or destruction.
- Accountability: the controller of personal data must be accountable for complying with the GDPR principles.
Under the GDPR, organizations that breach the principles of the GDPR can be subject to fines of up to 4% of their global annual turnover or €20 million (whichever is greater), whichever is greater.
Scope of application of GDPR
One of the most common misconceptions about the GDPR is that it applies to all companies located outside of the EU. This is not the case. The GDPR applies only to companies that process or store the personal data of EU citizens, regardless of where the company is located.
Data protection rights templates for organizations
It is vital for organizations that process or store personal data to know about the data protection rights of individuals. They must provide specific information to individuals about their data protection rights.
The right to be informed
Individuals have the right to be informed about the collection and use of their personal data. This includes being told what personal data is being collected, why it is needed, how it will be used, and who it will be shared with. Individuals must also be given clear and concise information about their rights under GDPR.
The right of access
Individuals have the right to ask for a copy of their personal data, as well as details about how it is being processed. This allows individuals to check that their data is being used in accordance with GDPR.
The right to rectification
Individuals have the right to ask for their personal data to be corrected if it is inaccurate or incomplete.
The right to object
Individuals have the right to object to the processing of their personal data for certain reasons, including where it is being used for marketing purposes.
The right not to be subject to automated decision-making
Individuals have the right not to be subject to decisions that are based solely on automated processing, including profiling. This means that organizations must take into account individuals’ human rights and privacy interests when making these types of decisions.
Provisions regarding consent
Organizations that process personal data must also ensure that they have valid consent from individuals before collecting or processing their data. Consent must be freely given, specific, informed, and unambiguous. It must also be easy for individuals to withdraw their consent if they no longer want their data to be processed.
Under the new law, individuals will have the right to access their personal data as well as information about how it is being processed. Below are some notable changes under the new GDPR law.
- The definition of personal data has been expanded, and now includes any information that can be used to directly or indirectly identify an individual.
- Consent must be given freely, specific, informed and unambiguous. It must also be revocable at any time.
- Organisations will be required to provide individuals with a Data Protection Officer (DPO), who will be responsible for ensuring that the organisation is compliant with the new law.
- Rights of individuals with regards to their personal data include the right to access their data, the right to change their mind about consent, the right to have their data erased (the “right to be forgotten”), and the right to object to automated decision-making.
There are also new provisions regarding data breaches. Some of them are described below.
- Organisations must report data breaches within 72 hours, unless the personal data is unlikely to cause any harm.
- Organisations will be fined up to 4% of their global annual revenue or €20 million (whichever is greater), whichever is greater, for serious breaches of the law.
Individuals who believe their rights have been violated will be able to file a complaint with the supervisory authority, which is responsible for enforcing the law.
Other key provisions
- The law applies to both EU and non-EU organisations that process the personal data of EU citizens.
- Organisations must appoint a representative in the EU if they are not based in the EU.
- The law will come into effect on 25 May 2018.
The GDPR has already taken effect since May 25th, 2018. Companies that are not in compliance by that date and those who are still not updating their systems to be GDPR-compliant may face heavy fines. However, the GDPR is not a one-size-fits-all regulation, and companies should not try to implement all of its provisions at once. Rather, they should take a phased approach, implementing those provisions that are most relevant to their business.
The GDPR is a complex regulation. Considering that the law has taken effect nearly four years ago, there is still a lot of confusion about how it will be enforced. However, with a better understanding of what it is and what it requires, companies can start to make the necessary changes to comply with it.
For more valuable information, visit this website.