General Data Protection Regulation, also known as the GDPR is a new legislation by the European Union (EU) that comes into action on the 25th of May to safeguard the personal data of EU citizens. With the exchange/collection of personal data at the heart of everyday interactions, from social media to banking, GDPR primarily aims to give EU citizens more control over how organisations store and use their personal data.
Moreover, due to the huge number of high-profile data breaches which have occurred during the past few years, GDPR will protects individuals personal data from being misused and exploited.
How does GDPR protect EU citizens?
Right to access – Individuals have the right to ask how their data is being used by an organisation after it has been obtained
Right to be forgotten – If an individual is no longer a customer, they can remove their consent for the organisation to use their personal data and also request for the data to be permanently deleted
Right to data portability – Individuals have the right to transfer their personal data from one service provider to another
Right to be informed – Organisations must obtain clear consent from individuals on whether or not they wish for their personal data to be gathered by them
Right to have information corrected – Individuals can ask an organisation at any time for their data to be updated/adjusted if it is incorrect, out-of-date or incomplete
Right to object – Individuals can ask organisations to stop processing their personal data for the sole purpose of direct marketing
Right to be notified – If an organisation experiences a data breach which compromises their customers personal data, the individuals in question have to be informed within 72 hours of having first become aware of the breach in question
Photo credit: SB_photos/Shutterstock
Who is subject to GDPR?
GDPR is applicable to any organisation operating within the EU. Likewise, its also subject to those organisations outside the EU who offer their goods and services to customers (B2C) or businesses (B2B) in the EU.
The GDPR legislation applies to two different types of data-handlers: ‘processors’ and ‘controllers’. A controller is defined as a “person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data”, whilst a process is a “person, public authority, agency or other body which processes personal data on behalf of the controller”.
GDPR places legal obligations on a processor to maintain records of personal data and how it is processed. On the other hand, controllers will also be required to guarantee that all contracts with processors are in compliance with GDPR.
For organisations to successfully adhere to GDPR requirements, organisations will need to evaluate how best different divisions/departments (IT, sales, marketing, finance, human resource, legal etc) can collaborate to ensure compliance as well as accountability.
What is considered as personal data under GDPR?
Due to the range and types of data that most organisations now collect about individuals, the EU has considerably expanded the definition of personal data under the GDPR umbrella. It includes basic information such as names, addresses, debit/credit card numbers. Moreover, also includes more sophisticated details such as IP addresses, economic, cultural, social and mental health information.
Photo credit: Wright Studio/Shutterstock
Going forward with GDPR
GDPR will push businesses to take a more disciplined approach with regards to personal data. There will be no room or tolerance for short cuts or errors, otherwise organisations will be accountable for their actions and face hefty fines. With this in mind, it’s always important for organisations to ask themselves:
- Why are we storing and then saving/archiving all this data?
- Is storing certain types of data necessary or even useful in any way?
- What are we trying to achieve with all the data we store?