What is GDPR?
The GDPR (General Data Protection Regulation) is a data protection law that mandates all companies doing business within the European Union (EU) member states must comply with strict new rules protecting the personal data and privacy of people living in the EU (data subjects).
Effective May 25, 2018, the General Data Protection Regulation replaces the Data Protection Directive 95/46/EC. GDPR is aimed at standardizing data privacy laws across Europe and redesigning the way organizations that have any European presence approach data privacy. In addition, the GDPR gives EU citizens more control over their personal information.
The United Kingdom’s Data Protection Act (DPA) 2018 updates and replaces the Data Protection Act 1998. The DPA 2018 went into effect with GDPR’s new rules, and details how the GDPR applies in the UK.
The data that’s considered personal under the EU’s new data protection law includes an individual’s name, address, date of birth, health records, bank details, photos, and IP address as well as biometric data and genetic data that could be processed to uniquely identify that individual.
Under the GDPR, organizations are required to send emails to customers asking them to opt-in to their consent and privacy policies.
In addition, a company must appoint a data protection officer (DPO) to oversee its data protection strategy and ensure GDPR compliance under these circumstances:
- The company is a public authority
- The company carries out large-scale monitoring of individuals, such as behavior tracking
- The company engages in large-scale processing of special categories of data
Although there are no set qualifications for a DPO, the individual should have professional experience in the area of data protection law and practices. This guideline is according to the office of the Information Commissioner, the independent regulatory office that upholds information rights in the interest of the public.
Not appointing a data protection officer, if required by the GDPR, could count as non-compliance and result in a fine.
The GDPR also requires organizations to report any breaches that lead to the “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
This information needs to be delivered directly to those individuals affected via a breach notification within 72 hours of the breach. The GDPR prefers that companies send this notification directly to individuals via email, SMS text, or snail mail. Blog posts, prominent website banners, or press releases can be used for indirect mass communication. Any company that fails to comply with this requirement can be fined from 10 million euros ($11.4 million) or two percent of its annual revenue, whichever is greater.
To help ensure compliance with the GDPR, an organization must perform a Data Protection Impact Assessment (DPIA) for data processing projects that will likely result in high risk to individuals. However, it’s also good practice to do a DPIA for any major project that requires the processing of personal data, whether or not the risk is high.