These days, we often hear the GDPR abbreviation from almost every entrepreneur who runs a business in the EU. Those four letters are mentioned in the Internet and news feeds of social media pretty much every day. In the recent weeks, users from different countries continue to receive emails from various services with notifications of upgraded user agreements modified in accordance with the GDPR. The lawyers are talking about it even more and looking for the most effective and quick solution to this issue. But it is not necessary to worry — companies around the world have updated their systems of protection and processing personal data according to the new EU regulation. Let's take a closer look at what the GDPR is, who it applies to, and how the new regulation for providing services on the Internet will work.
What is GDPR?
The General Data Protection Regulation (GDPR) is the European Union regulation that provides a new approach to the processing and storage of personal data. The regulation was adopted on April 27, 2016. After a two-year transitional period on May 25, 2018, the GDPR came into force in all 28 EU member states and countries of the European Economic Area (EEA). It does not require EU governments to make any changes to local laws because it is binding.
What is the purpose of GDPR?
The main purpose of GDPR is to create a solid legislative framework for protecting privacy for all EU citizens. It contains requirements for those who collect, use and process personal data in their work. Here are three fundamentals on which GDPR is based:
- Personal data protection
- Protecting the rights and freedoms of people intending to protect their data
- Restrictions on the transfer of personal data within the EU.
What is personal data under the GDPR?
Personal data under the GDPR is any information that can be directly or indirectly used to identify a person. As stated in the document, this is one or more factors that are characteristic of physical, physiological, genetic, mental, economic, cultural or social identity of an individual.
Personal data under the GDPR includes:
- Full name
- phone number
- e-mail address and place of permanent residence
- bank account number, card number and the term that it is valid for
- information about nationality
- political or religious views
- data on blood group
- biometric and passport data
- identification code
- information about the level of personal income
- current location
- IP address, etc.
Distinctive features of GDPR: to whom it is applied, privacy, violations and penalties
The GDPR replaces Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The regulation has several significant differences:
Broader legal action
First and foremost, the GDPR applies to all companies that process the data of citizens of the EU, regardless of the location of the companies themselves. In general, any organization that offers goods or services to physical persons in the EU, conducts marketing research and monitors the behavior of EU citizens, falls within the scope of the GDPR. That is, if your company has at least one customer from the European Union, whose personal data you store, you are also automatically subject to the GDPR.
In addition, new rules of the regulation apply to ordinary users who use European online services or visit sites while they are in one of the EU countries. But if both the company and the user are outside the EU, the GDPR does not apply to them.
Privacy is the priority
According to GDPR requirements, any company whose services are used by EU citizens should apply data protection tools from the very beginning of the web development of online services, and not as an additional component.
In particular, the user should know what exactly the personal data the company stores, how long the data is stored, whom it transfers the data to and how it will be used further. At the client’s request, the organization should provide all this information in response to a request (within a month, or three in individual cases). The user also has the right to request data correction. Although large companies were still given the opportunity to view the personal data of users they store, this information now becomes more understandable and well-structured.
Consent and the right to erasure
The consent to the processing of personal data of a user must now be clear and unambiguous. Another important provision of the GDPR is the right at any time to withdraw its consent to the processing of personal data, entitled "the right to erasure." Moreover, the procedure for withdrawal of consent should be as simple as the consent procedure.
Notification of violations and penalties
In case of non-compliance with the regulations, the company should take action to resolve this problem within 72 hours of receiving and reading the user's alert for security breach.
It is important that all companies that fall under the rules have taken appropriate measures to protect personal data. Compliance with GDPR rules and regulations is achieved through strict sanctions. For violators, there are fines that can amount to 2-4% of the annual turnover of the company.
If you ask if it's time to apply GDPR to your company, we will definitely answer: "Yes!" This law will eventually extend to other states outside the EU, so it is better to process the personal data of users according to new standards. The implementation of GDPR is a competitive advantage for business, which will increase credibility of the company. For more information, you can read the full text of the GDPR here.