GDPR: What the new European Privacy Law Means for Your Business
What is GDPR?
GDPR, or General Data Protection Regulation, was enacted by the European Union as a way to govern the collection, processing, use and storage of personal data. The policy covers any individual living in the EU (citizens, residents and visitors), as well as EU citizens living abroad. The policy became effective on May 24, 2016 but provided a two-year compliance period with an enforcement date of May 25, 2018, at which time organizations must comply with its requirements.
The main objective of the GDPR regulation is to require companies to handle the personal data of individuals in a fair and transparent way.
Who must adhere to GDPR regulations?
All companies and organizations who are providing services to individuals in the European Union (citizens, residents and visitors) as well as EU citizens living abroad. The GDPR not only applies to organizations located within the EU, but also to organizations processing and holding the personal data of any individual in the EU.
What is considered Personal Data?
Personal data can include a person’s full name, email address, home address, phone number, information related to their occupation, physical attributes, political views, health information, IP address, and other information described here on the official GDPR website. Collecting some minimal identifying data is not of concern, however when data is collected together, it could potentially be used to establish someone’s identity.
Therefore, if the combination of this collected data could be clearly linked to a person, then that is considered personal data.
To simplify compliance with the GDPR, it’s best to collect and keep the minimum data needed for provision of services.
How GDPR Protects Users
The primary purpose of the GDPR regulation is to protect internet users and require companies to inform users of the purpose for collecting, storing, or using personal data.
The GDPR provides the following rights for individuals:
- Right to be informed – Users have the right to be informed about the collection and use of their personal data.
- Right of access – Users have the ability to access their personal data that is collected.
- Right of modification – Users have the right to access and modify their personal data.
- Right to be forgotten – Users can decide to terminate their relationship with an organization, and have their personal data deleted.
- Right to restrict processing – Users have the right to request the restriction or suppression of their personal data.
- Right of data portability – Users have the right to move, copy or transfer their personal data file to another company.
- Right to object – Users have the right to object to the processing of their personal data in certain circumstances.
- Rights in relation to automated decision making and profiling – In general terms, this protects unwanted advertisements from appearing and controls the re-marketing settings.
How do organizations adhere to GDPR requirements?
Some of the key privacy and data protection requirements of the GDPR include:
- Requiring the consent of subjects for data processing
- Anonymizing collected data to protect privacy
- Providing data breach notifications
- Safely handling the transfer of data across borders
- Requiring certain companies to appoint a data protection officer to oversee GDPR compliance
For a complete list of requirements, please consult the official documentation here.
The bottom line is that GDPR is encouraging transparency and accountability when it comes to data collection and privacy – which is a good thing.
It might require more disclosure, consent to collect data, updates to existing policies, and safer data handling, but overall the new regulations will provide valuable protection to internet users in the European Union and citizens of the EU living in other countries around the world.