Following four years of preparation and discussion, legislation to improve the protection of EU citizens’ privacy in an increasingly digital world was adopted on 14th April 2016. In contrast to the current rulings, which only provide guidelines with regard to privacy protection, the new legislation that will become effective from 25th May 2018 is binding and legally enforceable in nature. This new regulation, referred to as the GDPR (General Data Protection Regulation) addresses the following main topics:
GDPR also applies to organizations based outside of the EU; legislative compliance is a prerequisite for operating within the European Union.
GDPR is not limited to organizations and processes within the EU, the regulations also apply to processes and (data) transfer outside of the European Union.
Non-compliance with GDPR legislation can result in a maximum fine of 4% of an organization’s world-wide income or €20 million per contravention.
GDPR extends previous definitions of what is considered to be ‘personal data’ to account for the modern complexities of today’s digital landscape.
Organizations are required to improve and clarify how they collect data about individuals and the purpose of collecting such data.
Organizations that store privacy-sensitive information are obliged to identify and appoint a DPO.
GDPR has a clearer definition of commitment and limits when profiling individuals; this applies to both customers and prospective customers.
Organizations with information that falls under the GDPR definition as privacy-sensitive are obliged to report data leaks and to have transparent procedures for handling them.
The GDPR requires that individuals and ‘users’ should be provided with access to data stored about them and the specific purpose for which this data is used.
The GDPR also defines the rights of individual’s including the right to demand data held about them and to export this in a reusable format, based on open standards, that they can may use elsewhere.
The right to be ‘forgotten’ represents a substantial challenge to organizations that need to implement measures to comply with the new rules regarding data protection. GDPR-legislation forces organizations to anonymize data without losing their ability to retain valuable insights and relationships between data.
Finally, GDPR states that organizations that process privacy-sensitive information must be able to make explicit how they guarantee the privacy of data in addition to its security. This so-called ‘privacy-by-design’ sets new requirements for the architecture and design of information systems.
More information about the GDPR is available at: https://www.eugdpr.org/ . The EU’s website addressing this challenging topic.