GDPR explained

Following four years of preparation and discussion, legislation to improve the protection of EU citizens’ privacy in an increasingly digital world was adopted on 14th April 2016. In contrast to the current rulings, which only provide guidelines with regard to privacy protection, the new legislation that will become effective from 25th May 2018 is binding and legally enforceable in nature. This new regulation, referred to as the GDPR (General Data Protection Regulation) addresses the following main topics:

  • Geography

    GDPR also applies to organizations based outside of the EU; legislative compliance is a prerequisite for operating within the European Union.

  • International

    GDPR is not limited to organizations and processes within the EU, the regulations also apply to processes and (data) transfer outside of the European Union.

  • Enforcement

    Non-compliance with GDPR legislation can result in a maximum fine of 4% of an organization’s world-wide income or €20 million per contravention.

  • The Scope of what is considered to be Personal Data

    GDPR extends previous definitions of what is considered to be ‘personal data’ to account for the modern complexities of today’s digital landscape.

  • Responsibility for Information Processing

    Organizations are required to improve and clarify how they collect data about individuals and the purpose of collecting such data.

  • Data Protection Officers

    Organizations that store privacy-sensitive information are obliged to identify and appoint a DPO.

  • Profiling

    GDPR has a clearer definition of commitment and limits when profiling individuals; this applies to both customers and prospective customers.

  • Notification of data leaks/compromises

    Organizations with information that falls under the GDPR definition as privacy-sensitive are obliged to report data leaks and to have transparent procedures for handling them.

  • Transparency and insight into personal data

    The GDPR requires that individuals and ‘users’ should be provided with access to data stored about them and the specific purpose for which this data is used.

  • Portability

    The GDPR also defines the rights of individual’s including the right to demand data held about them and to export this in a reusable format, based on open standards, that they can may use elsewhere.

  • The right to be forgotten

    The right to be ‘forgotten’ represents a substantial challenge to organizations that need to implement measures to comply with the new rules regarding data protection. GDPR-legislation forces organizations to anonymize data without losing their ability to retain valuable insights and relationships between data.

  • Privacy by design

    Finally, GDPR states that organizations that process privacy-sensitive information must be able to make explicit how they guarantee the privacy of data in addition to its security. This so-called ‘privacy-by-design’ sets new requirements for the architecture and design of information systems.

More information about the GDPR is available at: https://www.eugdpr.org/ . The EU’s website addressing this challenging topic.