What does GDPR stand for?
GDPR stands for General Data Protection Regulation.
When did GDPR come into effect?
The General Data Protection Regulation, or GDPR, came into effect on 25 May 2018 and replaces the EU’s 1995 Data Protection Directive.
What is GDPR?
General Data Protection Regulation 2016/679 (GDPR) is the EU regulation on data protection and privacy for all persons in the EU. This applies to companies that handle data from EU citizens located in and outside the EU. It doesn’t matter where the companies are physically located: If you as a company handle data from EU citizens, your company must comply with the GDPR. The regulation enters into force on 25 May 2018.
The purpose of the GDPR is to give EU citizens back control over their personal data. People must (and should) have the right to know what information companies have about them. From a societal point of view, GDPR gives people rights to demand insight into previously uncharted territory. And that’s a good thing. That said, GDPR can be troublesome for businesses, as GDPR compliance is more than lip service.
GDPR legislation
The GDPR applies to all organizations with EU or national customers and applies to any type of data, including names, addresses, email addresses and IP addresses. EU data protection legislation is set out in the Charter of Fundamental Rights, which was included in the Treaty of Lisbon in 2007. The EU Data Protection Directive of 1995 (Directive 95/46/EC) established a system for the protection of personal data processed by employers and others.
GDPR regulations
Organizations must take steps to protect user data from accidental or unauthorized access, destruction, alteration or unauthorized use. They must also ensure that data is quality controlled to protect against unauthorized access, alteration or destruction. Finally, they must take measures to ensure that individuals have the right to information about and access to their data protection rights. Among the rules is that all companies that collect and process personal data from individuals must comply with the GDPR. This includes companies operating outside the EU that collect and process data about EU citizens. The regulation also allows individuals to request their personal data in a portable format that they can access from any device. The regulation also imposes a greater responsibility on companies to publicize violations within 72 hours.
Who does GDPR apply to?
From 25 May 2018, all companies doing business in the EU must comply with the General Data Protection Regulation. This regulation lays down strict rules for how personal data must be collected, used and protected. The regulation lays down strict rules for how personal data must be collected, used and protected. It also gives EU citizens more control over their personal data. This means that companies must be able to protect personal data and comply with the GDPR in order to do business in the EU. The regulation applies to both data controllers and data processors.
A regulation for the protection of personal data
As the digital age continues to evolve, so does the way companies collect and store consumer data. In an effort to protect people’s privacy, many countries have implemented regulations on how personal data can be collected and used. These rules vary from country to country, but they all aim to give individuals more control over their personal data. In the European Union, the General Data Protection Regulation applies to any company that processes or intends to process personal data about individuals in the EU.
Why is GDPR important?
The General Data Protection Regulation (GDPR) was created to protect the privacy of digital data. The regulation is important because it sets a precedent for how companies must handle the personal data of EU citizens. The regulation is also important because it gives individuals the right to know what personal data is being collected about them, the right to have that data deleted and the right to object to its processing.
Get ShareSimple FREE for one user today!
How does GDPR affect your business?
The GDPR regulation is an amendment to the previous directive, but with some important changes that significantly affect your business. Below you can find new and changed guidelines that are important to be aware of. The list below should not be seen as an exhaustive list, but an overview of important areas that will affect your business:
- Consent
- Guidance on data breaches
- Right of access
- Right to be forgotten
- Data portability
Consent
Consent refers to individuals’ express approval that allows your company to use their data in numerous ways. This does not mean that companies must require consent from the individual every time personal data is collected. To give you an example, think of the scenario where you went to a website that offers a free healthy meal plan. In order to provide you with the best plan, you must provide information (personal data) about you. You need to fill in how old you are, how much you weigh, etc. All this information is necessary to provide you with a healthy meal plan. You do not need consent to collect the personal data in this case, as the data is part of providing you with a good meal plan, i.e. a “legitimate use”. But. If the information is also used for marketing purposes, consent will be required to use the data in that connection.
Guidance on data breaches
All data breaches are not created equal. The spectrum of what is defined as a data breach is very broad. The actions required change along the spectrum depending on the specific data breach. If an employee loses their company phone, you as a company do not have to report it to the data authorities, as long as the phone is password protected or otherwise encrypted. At the other end of the spectrum, if your company finds that your database has been hacked, it is your responsibility to inform relevant data authorities of the breach within 72 hours of becoming aware of the breach.
Right of access
Individuals have the right to request access to all personal data about them. This means that your company must present all the personal data you have about the specific person, free of charge and in a format that is electronic and understandable. And don’t try to send it in binary code.
Right to be forgotten
You are bound to forget everything you know about a person. This means that your company must delete the personal data in question and stop passing on the data. This, however, only if a company does not have a legitimate use for the data AND the person actively requests to have it deleted.
Data portability
The person can, under various circumstances, request that your company either hand over all the personal data relating to the person concerned, or that you send this data to another company. Please note that it must be in a machine-readable format! Therefore, there is no binary code here either.
What happens if I don’t comply with GDPR?
In short – not complying with the GDPR can have devastating consequences for your business. Non-compliance can cost you fines of up to EUR 20 million or 4% of your global turnover – whichever is higher. Regardless of the size of your business or the scope of your business, you cannot afford not to comply with GDPR.
If this doesn’t scare you, how about a survey by Veritas, which claims that 40% of EU citizens plan to exercise their right to access the data that companies hold about them. In practical terms, there is a good chance that past or present customers or employees will demand that you inform them of the data you hold on them. Not to mention the looming threat of huge fines, think about the time it will cost your business to deal with these requests. Not only do you need to send the data to people, but your business needs to find this data quickly to maintain operational efficiency. You have one month from the receipt of the request to supply the data. Furthermore, if your company receives many access requests, it can be too much of a task if you don’t have procedures in place – which can ultimately lead to a breach.
Do you need help with GDPR?
To begin with, you have to accept that the journey to becoming compliant does not end, but is a continuous process. Break your process down into steps and take them one at a time. We have made a checklist here.
Sebastian Allerelli
Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →