The General Data Protection Regulation (GDPR) is a legal framework agreed upon by the European Parliament and Council, superseding the Data Protection Act (DPA). It came into effect across the European Union on May 25, 2018, as the primary law regulating how companies protect the European Union (EU) citizens’ personal data. It sets the rules for the gathering and processing of private data of people within the European Union (EU), while also imposing fines that can be revenue-based. It covers all companies that deal with the data of EU citizens, making it a critical regulation for corporate compliance officers at banks, insurers, and other financial companies.
Companies that are already in compliance with the directive should ensure that they are compliant with the new requirements of the General Data Protection Regulation (GDPR). Companies, corporations, and firms that fail to achieve General Data Regulation Protection compliance are going to be subject to stiff penalties and fines.
Plainly put, the General Data Protection Regulation mandates a baseline set of measures for companies that manage EU citizens’ data to properly safeguard the processing and flow of the citizens’ personal data.
The General Data Protection Regulation requirements apply to each and every member state of the European Union, aiming to create a more consistent protection of consumer and personal data across EU nations. Some of the essential privacy and data protection provisions of the General Data Protection Regulation include:
- Ordering certain companies to designate a data protection officer to manage General Data Protection compliance,
- Requiring the approval of citizens for data processing,
- Anonymizing obtained data to preserve privacy,
- Providing data breach or hack notifications and announcements,
- Carefully managing the flow of data across borders,
- Appointing dedicated data protection officers, and much more
- Under the General Data Protection Regulation, companies and firms may not legally process and are pushed to be pseudonymous to any person’s personally identifiable information (PII) without meeting at least one of the following conditions:
- Express consent (permission for something that is given specifically, either verbally or in writing) of the data subject.
- Processing for the performance of a contract with the data subject or to take steps to enter into a contract.
- Processing for compliance with a legal obligation.
- Processing to protect the important interests of a data subject or another person.
- Processing for the administration of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Processing for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
These conditions mean that the data can’t be associated back to a particular person. The pseudonymization of data allows companies and firms to do some comprehensive data analysis such as assessing average debt quotients of its customers in a particular region — that would otherwise be past the original purposes of data collected for evaluating creditworthiness for a loan.
What is General Data Protection Personal Data?
The kinds of data deemed personal under the existing legislation include names, addresses, and photos. The General Data Protection Regulation extends the definition of personal data so that something like an IP address can be personal data. It also adds sensitive personal data such as genetic data and biometric data which could be processed to uniquely distinguish an individual.
What does the General Data Protection (GDPR) mean for consumers/citizens?
Because of the sheer number of data breaches and hacks which have occurred over the years, the unfortunate reality for many is that some of their data have been exposed on the internet. Which is why a lot of companies are leaning toward telecom expense management.
Under the General Data Protection Regulation, consumers/citizens’ (or simply put, data subjects’) rights include:
- The right to be forgotten – data subjects can request personally identifiable data (PII) to be erased from a company’s storage. The company has the right to refuse requests if they can favourably demonstrate the legal basis for their refusal. The right to be forgotten is the concept that individuals have the civil right to request that their personal information is removed from the Internet.
- The right of access – data subjects can examine the data that an organization has stored about them.
- The right to object – data subjects can deny permission for a company to use or process the subject’s personal data. The company can ignore the opposition if they can satisfy one of the legal conditions for processing the subject’s personal data but must notify the subject and explain their argumentation behind doing so.
- The right to rectification – data subjects can expect fallacious personal information to be corrected.
- The right of portability – data subjects can access the personal data that a company has about them and transfer it.