After four years of preparation The General Data Protection Regulation (GDPR) of EU will be in force on 25 May 2018 and replaces the Data Protection Directive 95/46/EC as a gam changing regulation in data protection.
The GDPR regulates the privacy and handling of European Union (EU) citizens’ personal data and unifies data protection laws across the EU with a single set of rules.
This articles is to outline key terms and issues you need to know about the GDPR:
- Personal Data; any information which can identify a “natural person” whether directly or indirectly, it can be about their private, professional or public life. This includes their name, birthday, e-mail address, IP address, pictures, social media, medical information, bank details and more. These persons considered as” Data Subject” on GDPR.
- Processing; anything was done to or with personal data.
- Data Controller; an entity that determines the purposes, conditions,
and means of the processing of personal data.
- Data Processor; an entity which processes personal data on behalf of the controller.
- Pseudonymous Data; Personal data that cannot be tied to a specific data subject without additional information that is stored separately, with technological measures to ensure the data is not combined with that additional information.
- Anonymous Data; data that cannot ever be connected to an identified or identifiable person.
- Data Protection Authority (DPA); National supervisory authority, acting with complete independence, responsible for monitoring the application of data protection rules at the national level.
Key changes that may impact organisations include:
- Privacy-by-design; Data protection must be built into business processes and systems from the start and provided by default.
- The base of the data processing; Organizations must obtain the consent of a data subject in order to process personal data, the consent creates the lawful basis of data processing and the data subject must agree via clear statement or affirmative action. Requiring data subjects to grant broad consent to processing of their personal data when they register to use a service may not constitute freely given consent beyond processing that is necessary for providing the service. Additionally, organizations must be able to prove that they obtained valid consent.
- Data subject rights; Data subjects now have a lot of rights regarding their personal data. Data subjects can request that data controllers provide them with access to all personal data the controller maintains about them, and they can request that the data be corrected, deleted, frozen, or made portable (for example, downloaded). Also in addition to those, they can object to certain processing and revoke previously given consent.
- Data retention; Personal data should only be kept for as long as is necessary, then the data must be securely destroyed or made anonymous.
- Right to be forgotten; Users are able to request for their data to be deleted; they can also request for a copy to be sent to a third party.
- Mandatory breach notification; Any breaches of personal data must be reported to Supervisory Authorities within 72 hours of discovery, and depending on the extent of the breach, to affected Data Subjects without delay. (If there is a high risk of harm, data controllers must report data breaches to the data subjects as soon as possible.) Data processors must also notify data controllers of data breaches as soon as possible.
- Use of processors; Data controllers must have written agreements with data processors that ensure processors act only in accordance with the controller’s instructions, implement appropriate security measures to protect the data, assist the controller with its compliance obligations, return or destroy personal data at the end of the relationship, and comply with the provisions of GDPR applicable to processors.
- Profiling;The GDPR places certain restrictions on the automated processing of personal data to evaluate a data subject—or, “profiling.” This includes monitoring or tracking data subjects to analyze or predict work performance, economic situation, health, behaviour, preferences, or attitudes. Automated processes that can result in a significant impact on an individual, such as denial of a job or credit application, are considered high risk and are permitted only in limited cases.
- Compliance obligations; Before the GDPR the law regulated primarily data controllers however now with GDPR there is compliance obligations for data processors. This includes requirements that processors only process personal data in accordance with the controller’s instructions, not share data with other vendors without the consent of the controller, and implement appropriate security measures. Also, the law imposes several more compliance obligations on both data controllers and data processors to execute appropriate policies, assess the privacy impact of changes to business practices, and keep detailed records of data activities.
- Penalties for non-compliance; Fines up to 4% of a company’s annual worldwide turnover or €20million, whichever is higher. Organisations found to be in breach of GDPR risk significant fines.
- Data protection officer(DPO):Any organization that regularly processes sensitive personal data on a large scale or is involved in regular and systematic monitoring of data subjects must appoint a data protection officer to ensure the organization complies with privacy law.
Who will be affected?