From 1950, when the European Convention on Human Rights was declared, to the present, a huge progress has been observed in regards to privacy laws. Indeed, as technology progressed, the EU recognized the need for modern protections, thus leading in January 2012 to a revolutionary data protection reform.
What we are referring to in this article, the GDPR, is one of the key components of this reform.
On May 25, 2018, a significant change has affected the privacy practices carried out by companies: the GDPR.
But what is GDPR and who get involved?
The GDPR (General Data Protection Regulation) is the toughest data privacy and security law in the world and includes new requirements for any organizations collecting European citizens’ data. This means that any organizations processing data related to people in the EU must be GDPR-compliant, regardless of their headquarters location or where the data is stored.
The GDPR defines an array of legal terms at length. Some of the most important ones are data controller and data processor.
Data controller: The person who decides why and how personal data will be processed is a data controller. If you’re an owner or employee (in your organization) who handles data, this is you.
Data processor: A third party that processes personal data on behalf of a data controller. In other words, companies that assist in the collection and who may work with the data – but lack decision-making authority – are called data processors.
Sure is that the burden of GDPR compliance falls heaviest on the data controllers, as they are often directly customer-facing. In any case, corporate privacy policies, required by the GDPR, must specify who the data controller is as well as the data processors involved in handling the information.
In case that a company is not compliant, the GDPR has the right to impose very high fines.
As GDPR fines are designed to make non-compliance a costly mistake for both large and small businesses, any organization that is not GDPR compliant faces a significant liability.
The are mainly two tiers of penalties.
The less severe infringements could result in a fine of up to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
The more serious infringements go against the very principles of the right to privacy and the right to be forgotten that are at the heart of the GDPR. These types of infringements could result in a fine of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
Here are essential requirements set by the EU for organizations that handle the personal data of EU citizens:
GDPR says stop to long illegible terms and conditions full of legalese. In a nutshell, the request for consent must be intelligible and easy to access. Without explicit permission, companies have no rights on personal data.
Among the several rights established by the GDPR, data subjects can obtain confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Moreover, the controller shall provide a copy of the personal data, free of charge, in an electronic format.
Although not strictly required, having such a position, even informally, could be a good idea. The DPO acts as an intermediary between organizations and government and may be either an employee or an external service provider.
Privacy by design can be considered a “new entry” since the GDPR is the first law introducing it as part of a legal requirement. Basically, privacy by design requires the inclusion of data protection from the onset of the designing of systems, rather than an addition.
When talking about privacy by design, two are the key concepts to bear in mind: data minimization and limited access to personal data (to those needing to act out the processing).
The right to be forgotten entitles the data subject to have the data controller erase their personal data. This means that the data will be no longer relevant to original purposes for processing. Nontheless, data controllers has the right to compare the subjects’ rights to “the public interest in the availability of the data” when considering such requests.