GDPR in a nutshell
GDPR “General Data Protection Regulation”, the much-talked regulation about data security is the new law that enforces the protection of personal and identifiable information of all EU citizens by organisations operating within and outside of EU. This was adopted & approved by the EU Parliament on 14th April 2016. Finally, after two years of transition GDPR will be enforced on 25th May 2018 which will replace the 1995 Data Protection Directive 95/46/EC. Unlike a directive it does not require national governments to pass any enabling legislation, making it directly pertinent & requisite.
Personal data can be defined as any information related to an individual or ‘Data Subject’, that can be used to directly or indirectly to identify the person. It can be anything from a name, a photo, an email address, bank details, credit cards numbers, posts on social networking websites, medical information, or a computer IP address. As per the new regulation, organizations will ensure that personal data is gathered legally and under strict conditions, also those who collect and manage will be obliged to protect it from misuse and exploitation.
The lack of clarity & concern over the personal data of the EU nationals in the current law is a driving force behind the regulation revision. The conditions of the consent have been strengthened to make it clear and distinguishable from other matters and must be provided in an intelligible and easily accessible form, using clear and simple language. It also must be as easy to withdraw consent as it is to give it.
Under GDPR the consumers will have a right to know when their data is being unauthorized used, with that the organization will send a breach notification directly to the victims and it will be reported to the Data Protection Officer (DPO)- within 72 hrs with detailed description of the consequences of the data breach & its impacts which might face by the individuals, if the breach is likely to result in a risk for the rights and freedoms of individuals.
Under GDPR, organisations in breach can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed on the most serious infringements. it is important to note that the compliance rules of GDPR affect the data controllers as well as the data processors. Data controller is the entity that determines the purposes, conditions and means of the processing of the personal data, while the processor is an entity which process personal data on behalf of the controller.
DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Art. 37). If your organization doesn’t fall into one of these categories, then it is non-mandatory to appoint a DPO.
GDPR is data protection law which will not only affect the European business but also all the organizations handling the personal data of the EU citizens. The GDPR is meant to update the standards to fit today’s technology while remaining general to simply protect the fundamental rights of individuals throughout future. The EU General Data Protection Regulation (GDPR) is the most important changes in data privacy regulation in 20 years.