Get familiar with the EU’s new data protection law. Mark your calendar: May 24, 2018.

What’s happening? General Data Protection Regulation (GDPR) becomes effective in the European Union

You may have heard about GDPR in the news, but you might not be familiar with the details. Here’s one thing you need to know: GDPR’s penalties start at 10 million Euros.

This means businesses need to begin assessing how this regulation will affect them.

Your organization still has time to get GDPR compliant, but the more information you have, the easier the process will be.  Start by getting familiar with the basic concepts of GDPR.

What is GDPR?

GDPR (General Data Protection Regulation) is the new legal framework in the EU that replaces the current EU Data Protection Directive. The most important difference between the two is the difference between a regulation and a directive.

A regulation is law and is legally binding, whereas a directive is a recommendation and is not legally binding. This means that GDPR is a law that must be followed by all European member states.

Alternatively, this can be explained as a regulation being a single set of rules that must be obeyed, while a directive is a set of rules that leaves room for interpretation.

What is the purpose of GDPR?

GDPR is intended to protect personal data and how organizations process, store, and ultimately destroy it when the data is no longer required. The law gives individuals control of how companies can use information that is directly relatable to them personally and provides eight specific rights.

It also lays down very strict rules governing what happens if access to personal data is breached and the consequences (fines) organizations will suffer.

While the EU Data Protection Directive did not define data breaches, GDPR includes a very broad definition.

A data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or, access to, personal data transmitted, stored, or otherwise processed.” “Personal data” is “any information relating to an identified or identifiable” person—not just data that could be used for fraud or identify theft.

These definitions matter because they mean many different events or activities qualify as violations of GDPR.

Who does GDPR apply to?

GDPR applies to organizations with a physical presence in at least one-member state of the European Union

OR

If your organization processes or stores data about individuals who reside in the European Union

OR

If your organization uses any third party services that process or store information about individuals who reside in the European Union.

So, there is a very strong chance that if you are reading this and you reside in the European Union or work with an organization that has employees or customers in the European Union you will be affected by GDPR.

What are my 8 rights under GDPR?

Right to be informed

This provides transparency over how your personal data is used.

Right to access

Provides access to your data, how it is used, and any supplemental data that may be used alongside your data.

Right to rectification

Your right to have your personal data rectified if it Is incorrect or incomplete.

Right to erasure (or the right to be forgotten)

Your right to have personal data removed where there is no compelling reason to store it.

Right to restrict processing

You can allow your data to be stored but not processed. An example where you may want to invoke this right is if you feel that inaccurate data is stored awaiting rectification.

Right to data portability

You can request copies of information stored about you to use elsewhere, such as if applying for financial products across a number of vendors.

Right to object

You can object to your data being processed. One example may be in that you object to your data being used by direct marketing organizations. If you object, the regulation specifies they must comply.

Rights to automated decision making and profiling

You can object to automated decisions being made based on your personal data. Automated means without human intervention. An example may be online shopping habits being determined based on previous online behaviour.

If an organization or processor breaches a condition, the penalties are high. Businesses currently face up to a fine of 10 million euros or 2% of your global turnover.

What’s next?

Now that we’ve explained the basic concepts behind GDPR, you can start considering what steps your organization must take to become GDPR compliant. Stay tuned for future articles that delve into what GDPR means for IT teams.