The General Data Protection Regulation (GDPR) of 2018 represents the next step forward in data subject privacy rights and company accountability for the European Union. In the wake of previous data breaches and mishandling of subject data, regulations designed with subject privacy in mind provide a greatly desired sense of comfort to those negatively affected previously.
What You Need to Know:
- May 25, 2018 the GDPR goes into full effect
- New data collection and usage policies affect all companies doing business in the EU
- Data subjects are given more power over their personal information
- Businesses must now be able to prove they are adhering to the new Regulation
What Is the GDPR 2018?
The GDPR is a regulatory mandate designed to increase data protection and privacy rights of European Union (EU) citizens from any and all companies doing business or collecting information on EU citizens. This 2018 regulation is an updated extension of the previous 1995 directive and the current Data Protection Act (DPA) of 1998. Regardless of the company’s physical location, they are required to abide by these new GDPRs if they conduct any business within the EU.
Businesses of a certain size that collect information on or from EU citizens are required to have a specific Data Protection Officers (DPO) who will be required to record and maintain subject data to certain requirements.
At its core, the GDPR of 2018 is a mandate to protect and increase the rights and protections of EU citizens. It increases the power of the data subjects and decreases the abilities of businesses to withhold, keep, and use subject data unethically.
The GDPR goes into effect May 25, 2018. So if you are a company that does any business in the EU, you need to consult your legal team to make sure your data handling policies and practices are in line with this new regulation. Failure to do so could incite harsh penalties.
Who Does the GDPR Affect?
Any company, regardless of location, that either sells to or records information of EU citizens is subject to the updated regulations in the GDPR of 2018.
The GDPR affects both controllers and processors of personal subject data. Controllers dictate how and why personal data is used and a processor carries out the order of the controllers. The new GDPR of 2018 places heavier regulations on both positions if a data breach occurs for which they are responsible. Additionally, Controllers will have more responsibility to ensure Processors carry out orders and Processors will be required to maintain processing and personal record data. If your business already complies with the current DPA, you will most likely be required to abide by the new GDPR as well. Data Controllers will be held to a new standard to demonstrate how they are complying with new the GDPR.
Consent laws are tightening with these regulations and children 16 years and younger will need parental consent before a business can process and use any data that has been collected on them. This regulation does make several changes on behalf of the subject’s rights and how information is recorded and processed. Previously, when collecting and/or using data from multinational citizens, each local DPA needed to be notified. That is no longer the case. Companies will be held to internal data keeping standards and a DPO position will be mandatory for those companies which engage in regular monitoring and tracking of subject data.
Personal Data and Security
The GDPR of 2018 applies to both personal data and sensitive personal data. But what’s the difference? Personal data is more defined in the 2018 GDPR and makes the distinction that an online identifier will know also be categorized as personal data. By definition, personal data or Personally Identifiable Information (PII) is, “any information that relates to an identified or identifiable living individual”. Pseudonymous data may also fall under these new regulations as well.
Sensitive personal data is referred to in the GDPR as “special categories of personal data”, such as genetic information, biometric data, personal health information etc. All sensitive personal data must be collected only after explicit consent is given by the subject.
Data Subjects’ Rights
Data subjects’ rights is what this new regulation is all about. It’s aimed to give them easier and more direct access to their information, how it’s being used, and the ability to demand it’s forgotten, to just name a few protected rights.
The GDPR lays out 5 specific rights and assurances of subjects:
- Breach Notification
- Right to Access
- Right to be Forgotten
- Data Portability
- Privacy by Design
The GDPR website outlines the Data Subjects’ Rights as follows:
If a system breach occurs where subject data is put at risk, the business is required to inform all those affected within the first 72 hours of the breach. Processors will also be required to inform Controllers immediately when the breach is noticed.
Right to Access
This right gives the subject the ability to contact the Controller of their information to learn if their personal data is being processed, how it’s being used, and for what purpose. The Controller will also be required to comply with a request from the subject to obtain a complete document of their personal data in an electronic format, at no cost to the subject.
Right to be Forgotten
This is also known as “Data Erasure”. The Right to Be Forgotten allows the data subject to withdraw consent for their personal data being collected and used and request that it be destroyed and forgotten. At the request of the subject, any personal data will stop being collected and destroyed. Article 17 of the regulation further outlines the terms for subject data erasure that are taken under consideration by the data Controller in processing the subject’s request.
This new right allows the subject to receive their personal data being collected in a “commonly used and machine readable format”. Subjects will now have the ability to transfer their data to a new Controller if they chose.
Privacy by Design
While this right has been in play for a while, it’s importance is being reinforced. Personal data protection will now be a concern from the get go in any and all data collection and processing systems. Only personal data essential to research will be collected and access to that personal data will be limited to those needed to process it.
Many of these rights are carryovers from the previous DPA that have know been more clearly laid out and detailed. These 5 rights work to benefit the subject of the data collection and highlight the importance of the ethical treatment of subject data.
The 2018’s GDPR was designed to enrich EU data subjects’ privacy rights and to ensure their personal information in collected and used ethically. It is a sweeping Regulation that affects all businesses collecting information on individuals residing in the EU. In our digital world, privacy is an ever-growing concern and it’s up to businesses to ensure protection for their associates.