What is GDPR?
In May of 2016, the European Union (EU) passed the General Data Protection Regulation otherwise known as GDPR. This new data privacy regulation will be enforced starting May 25, 2018 in all EU member states.
The GDPR replaces an outdated policy, the Data Protection Directive, passed in 1995. The DPD was not adopted in its entirely to all 28 EU member states nor did it address how data is stored, collected and transferred.
The European Parliament, the Council of European Union and the European Commission support and agree that the GDPR will strengthen and unify data protection for all individuals within the European Union (EU).
What type of data is protected under GDPR?
GDPR protects personal data. Personal data are defined as “any information relating to an identified or identifiable natural person (“data subject”); and identifiable person is one who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;”
Types of personal data regulated by GDPR
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health data including genetic, biometric and racial data
- Political opinions and sexual orientation
What organizations must comply by GDPR?
Any organization collecting and processing data belonging to European Union citizens even if it’s done outside of the EU. To clarify, the following organizations need to comply with GDPR.
- Firms located in the EU
- Firms not located in the EU, if they offer free or paid goods or services to EU residents or monitor the behavior of EU residents
Note there is no grandfathering for previously collected personal data.
What happens if you do not comply with GDPR?
Failure to comply with GDPR can come with a hefty fine up to 20 million euros OR four percent of an enterprise’s worldwide revenue – whichever is larger!
What else do I need to know about GDPR?
You should seek legal counsel if you have collected, used or plan to collect and use personal data of within the European Union member states. Below are some basic things to know about the General Data Protection Regulation (GDPR).
- Only process data for authorized purposes
- Ensure data accuracy and integrity
- Minimize the exposure of subject identities
- Implement data security measures
- Safeguards to keep data for additional processing
- Data protection measures, by default
- Security as a contractual requirement, based on risk assessment and encryption
Right to Erasure
Subject data cannot be kept indefinitely. GCPR requires organizations to complete erase data from all repositories when:
- Data subjects revoke their consent
- A partner organization requests data deletion
- A service or agreement comes to an end
- Notify authorities within 72 hours
- Describe the consequences of the breach, and
- Communicate the breach directly to all affected subjects
Data privacy laws/regulations are needed to protect individual humane rights and protect humanity from harm. At the same time, they are essential for marketing services and products to the end consumer. As data collection continues to dominate the market place, governance will surely struggle to keep up with market demands.