GDPR stands for General Data Protection Regulation and, at its core, is a new set of rules designed to give EU citizens more control over their personal data. It aims to simplify the regulatory environment for business so both citizens and businesses in the EU can fully benefit from the digital economy.
The new regulations are designed to reflect the world we’re living in now, bringing laws and obligations – including those around personal data, privacy and consent – across Europe up to speed for the internet-connected age. Below are 5 critical facts you need to know about GDPR:
1. GDPR Applies To All
The regulation applies to all companies worldwide that process the personal data of EU citizens. It specifically designates organisations with:
- A presence in an EU country
- No presence in the EU, but it processes personal data of EU residents
- More than 250 employees
- Fewer than 250 employees but its data-processing impacts the right and freedoms of data subjects, is not occasional or includes certain types of sensitive personal data.
2. Restricts Rules for Obtaining Valid Consent & Retaining Personal Information
Companies must be able to prove valid consent for using personal information with the regulation clearly defining which identifiers are considered personal information:
- An identification Number
- Location Data
- Online Identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Organisations need to plainly gather consent before collecting personal data, be clear about why they are collecting such information and fully understand that silence will no longer suffice as consent. Also, under GDPR, there is a requirement to not hold data for any longer than absolutely necessary and to not change the data from what it was originally collected for. Data subjects also have the right to request the deletion of their data.
3. Introduces a Swift Breach Notification Requirement
The GDPR regulation requires organisations to notify the local data protection authority of a data breach within 72 hours of discovering it. Organisations must also ensure that they have the technologies and processes in place that will enable them to detect and quickly respond to a data breach.
4. Introduces Mandatory Assessments & Expands Responsibility
Data Protection Impact Assessments are designed to demonstrate GDPR compliance. During one of these assessments, an organisation is required to describe the processing, assess the necessity and proportionality of processing and to help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data.
Previously, only data controllers were considered responsible for data processing activities however under GDPR, the liability to comply extends to all organisations that collect personal data.
5. Requires Privacy by Design
Intended privacy must be included in all software, systems, and processes by design. All software will have to the ability to completely erase data with IT leaders taking the lead to strategize a way to protect, locate and easily manipulate the personal data of their end users.