The EU General Data Protection Regulation or GDPR is the aim to protect all EU citizens from privacy and data breaches within this ever increasing data driven world.
When it was first established in 1995 the initial directive was to protect data breaches within the European commission. Since then then it has expanded and amended with the changes within society.
Who Does This Apply To
- The GDPR applies to ‘controllers’ and ‘processors’.
- A controller determines the purposes and means of processing personal data.
- A processor is responsible for processing personal data on behalf of a controller.
Impact and Changes
With the update to the GDPR, companies now have a clearer understanding of data protection and privacy.
This is the biggest change to the GDPR in that, it has extended the jurisdiction on companies and how the use and process personal data and data of persons subsiding within the EU. This will apply to the processing of personal data by controllers and processors within the EU, regardless of whether the process takes place within the EU or not.
GDPR organisations in breach of GDPR can now be fined 4% of the annual global turnover or €20 million. This is the maximum fine that can be imposed for the most serious cases. These rules also apply to both controllers and processors meaning “clouds” will not be exempt from GDPR jurisdiction.
Companies will no longer be able to use long illegible terms and conditions that are unreadable, thus meaning consent must be clear and readable. This means consent must be as easy to withdraw as it is to give it.
Data Subject Rights
Breach notification will now become mandatory in all member states where a breach is likely to result in the risks for the rights and freedom of individuals. This must be done within 72 hours of becoming aware of the breach.
Part of the expanded rights of data subjects is the right for the data subject to obtain the data from the controller, whether or not it is personal data concerning them is being processed. The controller must provide a copy of the personal data free of charge in an electronic format.
The right to be forgotten or data erasure entitles the subject to have the controller erase his or hers personal data, if the data is no longer relevant to the original purposes.
Data portability gives the right to the data subject to receive personal data concerning them that they have previously provided and transmit that data to another controller.
More information on the GDPR can be found here.