GDPR Overview - EU General Data Protection Regulation
What is GDPR?
On May 25th, 2016, the EU passed a law stating that companies or anyone using the personal data of EU citizens must ask for unequivocal consent of the individual to use such data. Regarding the use of data, companies are obligated to tell what kind of data they are using, how the data is treated, and who is in charge of overseeing the use of the data.
General Data Protection Regulation - GDPR
The new data protection law is known as GDPR, General Data Protection Regulation, which is in full-force starting from May 25th, 2018. It's a regulation that affects all those companies that treat data of European citizens even if these companies operate from another jurisdiction such as the United States. It means every company including Google, Microsoft and Facebook must abide by these laws. If a company is unable to comply with these rules, it will face heavy fines.
Contrary to the belief that GDPR will possibly make it difficult for companies to operate in Europe, it is a blessing in disguise because non-EU companies had to abide by 28 different laws on the use and processing of personal data to be able to offer their services in Europe. If implemented correctly, GDPR can save organizations from spending their resources on interpreting several different consumer laws.
Who Does GDPR Apply To?
The new GDPR regulation dictates that all companies, regardless of their country of origin or activity, must comply with GDPR if they collect, save, process, use or manage any type of data related to citizens of the European Union. It means that large multinational companies who have business links in Europe must also comply with these rules.
For the sake of this discussion, personal information related to an individual is a type of data that can be used to identify the person directly or indirectly. It can be anything such as a name, a photo, an email address, bank detail, information on social networking websites, medical information or an IP address of a computer. For a company to use this data, the user will need to give their explicit consent.
From a user perspective, GDPR will give more rights and easy-to-understand laws to individuals residing in the EU. The information is arguably broader, accessible, direct, understandable and clear than what was previously available. Overall, company executives and employees should be aware that their employer has new obligations when it comes to handling the user data of EU residents.
GDPR Privacy Standards
The rule states that citizens can request companies to delete their personal data when, among other cases, storing data is no longer necessary for the purpose of which it was collected. The GDPR also provides very specific details on "the right to be forgotten". According to "the right to be forgotten" rule, individuals have the right to protect the information shared about them on the Internet and other public sources.
It means that they can ask anyone to remove material containing their personal information whenever they insist. Still, there are restrictions on what can be removed and what may jeopardize public safety.
For instance, lawmakers are still grappling with the consequence of data in the public domain as some of it is useful for law enforcement agencies and researchers. For instance, certain issues cannot disappear from the public domain without a legitimate reason. These cases can include such information as names and identity of a person accused of possession of child pornography or child abuse.
Similarly, GDPR has a new rule regarding the right to portability of data if you want to move it from one place to another. According to these rules, your data must be "in a structured format", which is a common and readable format, such as a Microsoft Excel file so that an individual can easily receive and transmit the data, if necessary.
However, user rights to move their data only apply to those who have contributed to a website. For instance, Facebook would only be obliged to give you the data that you have provided, and not the information that you are leaving with your actions in the social network.
As indicated, lawmakers may come out with revisions of the law, if they feel a better alternative exists. In fact, EU law experts suggest that laws concerning GDPR can change anytime; therefore companies should have a clear understanding of the manuscript.
Overall, GDPR has made it clear that every EU resident has the right to ask a company about how their data is processed, where it is processed and for what purpose. Since every individual has these rights, companies need to provide such information free of cost without any associated rules.
EU officials suggest that unification of all data protection laws was demanded for some time. It was essential for the development of a digital economy in Europe because authorities felt that there should be no regulatory differences between countries. If different countries had different data protection laws, it can create competitive disadvantages for the entire economy.
To meet the requirement of unification, GDPR is seen as an essential step to strengthen the fundamental rights of citizens in the digital era and facilitate business by simplifying standards for businesses in the digital market.
GDPR Consent - The New Consent Form
According to GDPR, the request for consent must be given in an intelligible and easily accessible form, for the purpose of data processing attached to that consent. It also means that the consent must be unambiguous, clear and distinguishable from other matters. Companies will have to show their conditions in an intelligible form using a clear and simple language.
The law also provides specific information to companies regarding the presentation of a consent form. As such, the information about accepting the terms should be clearly distinguishable from the section related to the processing of user data. Similarly, companies will no longer be able to use the pre-checked boxes that are often used as a marketing tactic.
The possibility of creating standardized icons to facilitate the transmission and understanding of these conditions is also under study. Overall, it can be stated that GDPR intends to end the dark clauses, illegible and incomprehensible industry jargon that makes it difficult for the user to comprehend information in an easy-to-understand language.
For companies, GDPR compliance also means that they must change the way they present and disseminate information. If the consent of the user, obtained before May 25th, 2018, was not obtained according to the GDPR regulation, the consent is no longer valid. As a result, the most common method to get the consent of the user is to tell them that the company is required to gain consent according to new EU GDPR law. The new consent will need to be presented according to the framework of GDPR.
If at any point in future, the individual claims that the data is taken illegally, the company, as a defendant, must prove that the data is used according to the provisions of new laws i.e. GDPR.
GDPR Compliance - Data Breach
GDPR also make companies liable to report data breach within 72 hours of a security incident. Under the circumstance, they must not only report to the relevant authorities but also tell users whose data may have been compromised. From a corporate point of view, 72 hours may not be enough. Experts suggest that it may take more time to respond to such incidents because it is often difficult to assess the damage across a variety of interconnected networks. Subsequently, companies must not ignore the implications of GDPR compliance requirements because they have very little time to change how they can comply with the rules.
GDPR also makes it very clear that the person in charge of the network security must inform and advise employees about their obligations under the data protection law. The person in charge should also monitor GDPR compliance with legislation including audits, awareness-raising activities, and staff training. In addition, the person must be vigilant to people's requests regarding the processing of their personal data and the exercise of their rights, among others. If the company doesn't have a person in charge of cybersecurity, they must think of a solution, quickly.
GDPR also make company's responsible for creating "Privacy by Design", which means that any future tools must abide by the laws of GDPR. Irrespective of the stage of development of these tools, every corporation must ensure that new tools are able to incorporate new privacy laws.
GDPR Privacy Requirements - 8 Rights of Every EU Citizen
- Right to be informed: The new law suggests that companies must tell EU individuals how they will process the data; whom it will be shared with; and what the retention period is. Similarly, the person can ask these companies to provide information regarding personal data.
- Right to Access: This clause offers every EU citizen the ability to ask companies to share information with the user in an easy-to-understand manner. According to the right to access, every EU individual retains the right to view how the personal information is processed. If needed, they can ask the company to provide the information in a simple format.
- Right to Rectification: It allows EU residents to make changes to the information in the public domain. If someone finds inaccurate information, they can also verbally ask the company to change such information. According to the clause, every company is obliged to rectify information without delay.
- Right to Erasure: Also known as the right to be forgotten. It states that people have the right to ask a company to delete their personal information if it is no longer needed for the purpose it was originally collected for. In certain cases, a company may refuse to delete the information.
- Right to Restriction and Processing: This clause gives people the right to restrict the usage of their data. If a person feels that they are concerned about the data usage, they can tell the company to restrict their data even if they have initially given the consent.
- Right to Data Portability: This law allows EU citizens to ask companies to give them their personal data in a sharable format without disclosing the nature of usage. Accordingly, the citizen can also share the data with a third-party.
- Right to Object: In particular circumstances, "right to object" allow individuals to ask a company not to process their data for certain purposes. These situations can include restrictions on data sharing during ongoing legal battles in the court.
- Rights related to Automated Decision Making: This right is offered as a safeguard against a potentially damaging decision based on an automated action without human intervention. If the automated action is based on the law or explicit consent of the user, then the individual cannot appeal against the provision.
Ready for the next step?
Ensure that every solution you use is safe, secure and compliant with ever-changing GDPR, PSD2 and other personal data standards and regulations. Our authentication solutions take care of that for you.
See More Resources