What is GDPR and why do you need to have it?
The General Data Protection Regulation (GDPR) is the European regulation on personal data protection. It strengthens and unifies the protection of personal data in the European Union. As of May 25, 2018, this regulation applies to companies from the EU, as well as companies established outside the European Union that process data on the activities of EU entities. Non-European companies are also subject to regulation if they target EU residents through profiling or offer goods and services to European residents.
The GDPR represents the evolution of EU data legislation. It corrects many shortcomings of previous laws, requires documentation of relevant IT procedures, prescribes risk assessment studies, and requires that the supervisory authority and entities be notified in the event of data breaches.
It is especially important to understand that the GDPR applies specifically to personal data. This is what is called Personally Identifiable Information (PII) in the United States. These are data that identify a particular person. In other words, names, addresses, phone numbers, account numbers, and more recently e-mail and IP addresses.
We can state that the GDPR makes laws taking into account common sense measures. The regulation includes the security of personal data, which is similar to the American principle called “Privacy by Design”. From the initial phase of system design, minimize the collection of personal data and delete data that is no longer useful. Also, the regulation restricts access to data and provides them during their useful life.
What are obligations?
Privacy by Design
The concept of Privacy by Design (PBD) has long been a source of inspiration for EU legislators. This regulation more explicitly formalizes the principles of minimizing the collection and retention of data, and requires the consent of persons in any use of their personal data.
Data breach notification
In case of new obligations that were not included in the DPO, companies should, in case of detection of a personal data breach, notify the supervisory authority within 72 hours after the disclosure. Such a violation should also be reported to the person concerned, but only if it leads to a “high risk to his or her rights and freedoms”.
Data Protection Impact Assessments (DPIAs)
Before processing personal data about users, companies will first have to analyze the risks to the privacy and security of legal entities. It is an explicit obligation under this regulation. The long-standing request to the DPO contained the right to have certain data deleted or forgotten, which allows every consumer or user to request the deletion of their personal data. The GDPR extends this right, which now covers all data published on the web. This refers to the “right to forget”, which is still very controversial.
When certain personal data must be processed, companies will first have to analyze the risks to the privacy of those concerned that these treatments cover. It is an explicit obligation of the regulation. A long-standing request under the DPO was right to erasure or forget, which allows any consumer or user to request the deletion of personal data concerning him. The GDPR extends this right, which now covers all data published on the Web. This refers to the “right to be forgotten” which is still controversial.
The GDPR provides graduated financial penalties for companies that violate these regulations. Punishments can sometimes be very harsh. The largest violations will be punishable by a fine of 4% of the company’s total turnover. This will include a breach of the basic principles of the text of the regulation, in particular with regard to respect for “privacy by design”. A fine of up to 2% of the total turnover may be applied if the company does not properly follow all relevant information, or does not inform the supervisory authority and users about the detection of personal data breaches
The principle of extraterritoriality of the GDPR applies to companies that are not physically present in the EU and collect personal data relating to EU citizens (for example through a website). Then all obligations defined by the GDPR can be applied to them. In other words, this new legislation has a scope outside the EU. The most affected non-European companies will be those whose activities include e-commerce and cloud services.
In general, the message sent to the companies concerned by the GDPR is that the treatment of personal data must be carried out with much more care and rigor than before. Users will have the right to request information on the location and manner of storage of sensitive data, who exploits them and who may have access to these data.