10 things you should know about GDPR
At this point you might be aware, GDPR – the General Data Protection Regulation for all individuals within the European Union takes effect on 25 May 2018.In this post,we take look at some important points you should know about GDPR.
Quick Snapshot
- #1.What is GDPR ?
- #2.Who does it Affect ?
- #3.Does it apply only to organisations within EU ?
- #4.What is personal data ?
- #5.What if I don’t comply ?
- #6.If I store data or process data in Cloud,would I be exempt ?
- #7.Is there any changes related to consent ?
- #8.Appointment/Role of Data Protection Officer
- #9.Data breaches should be notified within 72 hours
- #10.Privacy by Design
- Additional Resources
#1.What is GDPR ?
GDPR stands for General Data Protection Regulation, and refers to the European Union regulation for data protection for all individuals within the European Union.The regulation (Regulation (EU) 2016/679) becomes enforceable on 25 May 2018 and replaces the data protection directive (officially Directive 95/46/EC) from 1995.
#2.Who does it Affect ?
Any individual or organisation that stores or processes personal information on an identifiable person from an EU member state (regardless if the processing or storage of information occurs in the EU or not) are affected by GDPR. GDPR rules also applies if the individual or organisation themselves is located in an EU member state.
#3.Does it apply only to organisations within EU ?
The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects.
#4.What is personal data ?
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
#5.What if I don’t comply ?
Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.
#6.If I store data or process data in Cloud,would I be exempt ?
Both controllers and processors (clouds etc.,) are within GDPR enforcement.A controller is the entity/organisation that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity/organisation which processes personal data on behalf of the controller.
Conditions for consent have been strengthened.Also parental consent would be required to process the personal data of children under the age of 16 for online services.
#8.Appointment/Role of Data Protection Officer
DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data. For others,DPO appointment is not mandated.
DPO appointment will be mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.
#9.Data breaches should be notified within 72 hours
Data breaches which may pose a risk to individuals must be notified to the DPA within 72 hours and to affected individuals without undue delay.
#10.Privacy by Design
GDPR calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties , as well as limiting the access to personal data to those needing to act out the processing.
It is important to note that the GDPR is a regulation, in contrast the the previous legislation, which is a directive.
Like this post? Don’t forget to share it!
Additional Resources
- GDPR agreed text
- GDPR Portal
Average Rating