What's happening? General Data Protection Regulation (GDPR) approaches its 2nd year birthday (25 May)
You may know about the GDPR, but maybe you missed some of the details. Here’s one thing you need to remember: GDPR’s penalties go up to 20 million Euros or four percent of your global turnover/revenue.
So have there been any fines since this regulation came into effect in May 2018? How fines are reported has changed, so you might not have heard much in the news, but there have already been many fines!
Interestingly, it's not just organisations that have been targeted—it's individuals, too. Take a look at the Information Commissioner's Office site to see actions taken. For example, Facebook Ireland has been fined £500,000 for marketing to E.U. citizens without the correct consent and Heathrow Airport has been fined £120,000 for losing a USB memory stick that had un-encrypted personal data on it.
Something as simple as sending an email with other people’s information could result in you unintentionally exposing your employer to a data breach and therefore a fine under the rules of the GDPR. This means businesses need to continually assess how this regulation will affect them and they must ensure that technological (software solutions) and organisational processes and procedures are in place.
Your organization needs to be GDPR compliant, but the more information you have, the easier the process will be. Start by getting familiar with the basic concepts of GDPR.
What is GDPR?
GDPR (General Data Protection Regulation) is the new legal framework in the EU that replaces the current EU Data Protection Directive. The most important difference between the two is the difference between a regulation and a directive.
A regulation is law and is legally binding, whereas a directive is a recommendation and is not legally binding. This means that GDPR is a law that must be followed by all European member states.
Alternatively, this can be explained as a regulation being a single set of rules that must be obeyed, while a directive is a set of rules that leaves room for interpretation.
What is the purpose of GDPR?
GDPR is intended to protect personal data and how organizations process, store, and ultimately destroy it when the data is no longer required. The law gives individuals control of how companies can use information that is directly relatable to them personally and provides eight specific rights.
It also lays down very strict rules governing what happens if access to personal data is breached and the consequences (fines) organizations will suffer.
While the EU Data Protection Directive did not define data breaches, GDPR includes a very broad definition.
A data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or, access to, personal data transmitted, stored, or otherwise processed.” “Personal data” is “any information relating to an identified or identifiable” person—not just data that could be used for fraud or identify theft.
These definitions matter because they mean many different events or activities qualify as violations of GDPR.
Who does GDPR apply to?
GDPR applies to organizations with a physical presence in at least one-member state of the European Union
If your organization processes or stores data about individuals who reside in the European Union
If your organization uses any third party services that process or store information about individuals who reside in the European Union.
So, there is a very strong chance that if you are reading this and you reside in the European Union or work with an organization that has employees or customers in the European Union you will be affected by GDPR.
What are my 8 rights under GDPR?
Right to be informed
This provides transparency over how your personal data is used.
Right to access
Provides access to your data, how it is used, and any supplemental data that may be used alongside your data.
Right to rectification
Your right to have your personal data rectified if it Is incorrect or incomplete.
Right to erasure (or the right to be forgotten)
Your right to have personal data removed where there Is no compelling reason to store it.
Right to restrict processing
You can allow your data to be stored but not processed. An example where you may want to invoke this right is if you feel that inaccurate data is stored awaiting rectification.
Right to data portability
You can request copies of information stored about you to use elsewhere, such as if applying for financial products across a number of vendors.
Right to object
You can object to your data being processed. One example may be in that you object to your data being used by direct marketing organizations. If you object, the regulation specifies they must comply.
Rights to automated decision making and profiling
You can object to automated decisions being made based on your personal data. Automated means without human intervention. An example may be online shopping habits being determined based on previous online behaviour.
If an organization or processor breaches a condition, the penalties are high. Businesses currently face up to a fine of 20 million euros or four percent of your global turnover.
Now that we’ve explained the basic concepts behind GDPR, you can start considering what steps your organization must take to become GDPR compliant. Stay tuned for future articles that delve into what GDPR means for IT teams.
Contact the GDPR professionals at HelpSystems for a free 30-minute consultation. We’ll help you determine what you need to do next to get ready for GDPR.