The General Data Protection Regulation (GDPR) is a set of new rules being introduced by the European Union to make it easier for residents of EU countries to protect their personal data online. It will come into effect May 25th, 2018. GDPR applies to businesses around the globe that process data of European Citizens. It applies to controllers and processors. The controller says how and why data is processed and the processor acts under the controller.
Before an organization collects personal data, they must get consent from the data subject. That includes unbundled of data fields as well as the propose of using the data. This consent should be stored in a secure way. The data subject can withdraw their consent at any time. This is covered in article 7 and 8 in the regulation.
Right of access
The subjects should have access to their data from the controller and be able to modify the information. This is covered in article 15 and 16 of the regulation. Individuals have the right to gain:
- Confirmation that their data is being processed
- Access to their personal data
- Other supplementary information
Article 17 discusses erasure. The data subjects have the rights for their data to be erased if any of the following apply:
- The controller doesn’t need the data anymore
- The subject withdraws consent for the processing with which they previously agreed to (and the controller doesn’t need to legally keep it)
- The subject uses their right to object (Article 21) to the data processing
- The controller and/or its processor is processing the data unlawfully
- There is a legal requirement for the data to be erased
- The data subject was a child at the time of collection
Article 32 entails data controllers and data processors to take measures that ensure a level of data security appropriate for the risk level presented by processing data.
- The pseudonymization and encryption of personal data;
- The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
What happens if you fail to comply
GDPR can give companies serious fines if they fail to comply with their rules and regulations. Fines of up to $20m or 4% of the company annual turnover can be given. It is the Information Commissioner’s Office (ICO) who have the power to hand out these fines.
Official GDPR website: https://www.eugdpr.org/