What is GDPR?
The General Data Protection Regulation is Europe’s new system for the protection of personal information. The framework put in place is set to equalise the data protection across all of the European Union as well as give better protection and more rights to individuals. It was approved by the EU Parliament after four years of debate and officially enforced on the 25th of May, 2018.
The regulation applies to any company that processes the personal data of data subjects who reside in the EU (regardless of the location of the company), and to any company in the EU. It applies to both controllers (organization or individual who determines what happens with personal data; if you are a business owner, that is you) and processors (the organization or person who processes data on behalf of the controller, a 3rd party that is often a tool or a software). It does not apply to the processing covered by the Law Enforcement Directive, for national security purposes of carried out by individuals purely for household and/or personal activities.
The GDPR will have a drastic effect on the data industry, if individuals decide to withdraw their data simultaneously, or if they restrict the use of their data for specific purposes. It will force data processors to be more cautious about using people’s old data for new purposes. The penalties and accountability of the regulations should deter companies from having breaches. Many companies have even decided to extend the terms globally in order to win over the public on an international scale.
The need for the new regulation
The GDPR has come out with new rules for protecting personal information. The EU has now the strongest data protection rules in the world. The last set of rules was enforced in the 90’s and struggled to keep up with all of the technological advances. The GDPR is changing the way businesses can handle personal data and empowers individuals’ control over their information.
It covers both personal data (name, address, IP address…) and sensitive personal data (genetic data, political and religious views, sexual orientation…). The new regulations will be enforced by the Information Commissioner’s Office (ICO). GDPR applies across the entirety of the EU but each individual country has the ability to make its own small changes.
The regulations allow people to have easier access to the data companies hold about them. They lay down new fine regimens and ensure companies clearly and blatantly obtain the consent of people they collect information from. It allows consent to be clear and intelligible, removing the long and illegible terms and conditions and makes individuals’ withdrawal of consent accessible. Anyone has hence the “right to be forgotten”.
The GDPR allows for penalties up to 20 million euros if a company is not GDPR compliant. It is still unsure how the ICO will deal with fines, but the new regulations are steep.
A quote from Helen Dixon, a data protection commissioner for Ireland, “One of the issues with startups is that when they’re going through all the formalities new businesses go through, there’s no data protection hook at that stage.” underlines the need for startups to be better informed about the new rules.
Despite the Brexit and whether or not a future government changes the law once again, a British company wishing to do business with Europeans must now adhere to the regulations.
The GDPR can be thought of as a transparency requirement, whereby individuals have control over their privacy. It allows people to trust organizations with their data, and have the power to share, withdraw, be informed, access, rectify, object or restrict their data or the use of their data.
Organizations have different ways of proving their compliance with the new regulation. Implementing data protection policies can be a way to demonstrate your GDPR compliance. Any taken measure should be proportionate, risk-based and comprehensive, depending on what your company does with personal data. This can come in the form of training or monitoring, demonstrating your implementation and adhesion. Breaches should be reported to the relevant supervisory authority, and correct breach detection procedures should be put in place.
According to Vincent Vanbiervliet, vice-president of product management at Sophos, GDPR turns security into a business value that we should embrace.