General Data Protection Regulation
What is GDPR?
The General Data Protection Regulation (GDPR) is the primary law regulating how companies protect EU citizens’ personal data. Companies that fail to achieve GDPR compliance are to be subjected to stiff penalties and fines.
GDPR requirements apply to each member state of the European Union. it is aiming to create more consistent protection of consumer and personal data across EU nations.
Some of the key privacy and data protection requirements of the GDPR are as follows :
- Requiring the consent of subjects for data processing
- Anonymizing collected data to protect privacy
- Providing data breach notifications
- Safely handling the transfer of data across borders
- Certain companies now have to appoint a data protection officer to oversee GDPR compliance
Simply put, the GDPR mandates companies that handle EU citizens’ data hasto better safeguard the processing and movement of citizens’ personal data.
Who is subject to GDPR law?
The purpose of the GDPR is to impose a uniform data security law on all EU members, so that each member state no longer needs to write its own data protection laws.
As a result laws will be consistent across the entire EU. Companies based outside of the European Union that are housing EU citizen data are subjected to it now. As a result, GDPR will have an impact on data protection requirements globally.
What is a data controller and a data processor?
The data controller and the data processor can be an organisation or a person. The duties of the processor towards the controller must be specified in a contract. For example, the contract must indicate what happens to the personal data once the contract is terminated.
The data controller determines how and why personal data is processed.
The data processor processes personal data only on behalf of the controller. This actor is usually a third party external to the company.
A typical activity of processors is offering IT solutions, including cloud storage. The data processor may only sub-contract a part of its task to another processor or appoint a joint processor when it has received prior written authorisation from the data controller. Also keep in mind that there are some situations when an organisation can be both data controller and data processor.
what does it require?
The GDPR itself contains 11 chapters and 91 articles. Here is some of its content.
- The GDPR give data subjects more control over personal data that is processed automatically. The result is that data subjects may transfer their personal data between service providers more easily. This is the right to portability. They may also direct a controller to erase their personal data under certain circumstances. This is the right to erasure.
- Companies should implement reasonable data protection measures to protect consumers’ personal data and privacy against loss or exposure and other cyber security related issues.
- In case of a data breach, the data controllers must notify Supervising Authorities (SA) of a personal data breach within 72 hours of learning of the incident and must provide specific details of the breach. The data controller also has two notify data subjects as quickly as possible of breaches when the breaches place their rights and freedoms at high risk.
- Companies are required to perform Data Protection Impact Assessments to identify risks to consumer data and Data Protection Compliance Reviews to ensure those risks are addressed.
- Some companies can be required to appoint data protection officers. this is specifically the case for a company’s that processes data revealing a subject’s genetic data, health, racial or ethnic origin, religious beliefs, etc.
Hope you enjoyed this article. You can find some of the other articles I wrote below:
