The European Union General Data Protection Regulation on general data protection regulation, otherwise known as GDPR has been 4 years in the making. The European Union Parliament approved GDPR in April 2016, with enforcement effective on May 25, 2018. What this means is that organizations must be fully compliant with the new EU directives, failing which they will face punitive measures. The legislation (GDPR) effectively replaces the data protection directive 95/46/EC and is geared towards standardizing data privacy across the European Union, for the benefits of EU citizens and organizations across the continent.
According to the regulatory measures, GDPR is designed to safeguard the browsing and online activity of EU citizens from hackers and cybercriminals, and to ensure that consent is given in all online transactions. The latest changes to GDPR have increased its scope, with greater authority, including companies that also process personal data irrespective of the location of the company. The legislation was a little nebulous in this regard before the latest changes. GDPR is applicable to processors in the EU and it doesn’t matter whether the actual processing takes place in the European Union. The penalties that can be imposed on companies that do not comply with GDPR regulations can be as high as 4% of their worldwide turnover, or €20 million. The maximum penalties are applicable to companies that do not have the requisite customer approval for data processing.
Companies that do not comply with the tenets of GDPR rules and try to befuddle clientele with complex legal jargon will not be looked upon kindly. The consent must be easily accessible and understandable. In other words, the data privacy rules and regulations must be written in concise and clear language. Clients must be able to give consent or withdraw consent without problems. Data subject rights include things like breach notifications, data portability, the right to be forgotten, the right to access, privacy by design, and data protection officers. The new legislation replaces the data protection directive and it expressly details the exporting of personal data outside the European Union.
The length of time that certain data can be kept depends on business sector requirements. Credit reference agencies are legally allowed to maintain credit data of consumers for a period of 6 years. GDPR also provides information about sensitive personal data. In other words, anything that relates to criminal transgressions, mental health, physical health, trade union membership, religious doctrine, political affiliation, ethnicity, racial group, or sexual practices is deemed sensitive data. The processing of your personal data requires consent. This is defined in article 7 and specified in recital 32. All people must voluntarily provide consent and this must be clearly communicated between parties on the Internet. People may be inclined to simply block cookies and other tracking mechanisms to prevent their browsing activity from being monitored by government and related agencies, however this may bar you from accessing certain websites.
The conditions for consent are based on 4 principles:
· Users must be able to withdraw consent whenever they want
· The controller must be able to show that the user has consented
· Written declarations of consent must be distinct from other matters
· The execution of the contract must clearly state whether that contract can be performed with or without consent.
Before its implementation, the liability was on the data controller, not the processor. Now, both parties are on the same footing. From a company’s perspective, compliance is sacrosanct. Now, data protection officers are mandatory to ensure that businesses are not subject to punitive measures. The new regulation creates additional responsibility for SMEs, but it also allows for greater flexibility to determine how personal data can be managed based on individual business operations. EU member countries must create legislation that will be compliant with the overarching GDPR, unfortunately many EU nations have not crafted that legislation yet. This regulation applies to all organizations and it doesn’t matter whether they’re based in the European Union or not. All that is required is that they hold data on EU residence, or they process dates on EU residence, and then GDPR applies to them.