In January of 2012, European commission was responsible to introduce the reforms that were going to make Europe ready for the digital millennium.
One of the most important parts of the reforms is the General Data Protection Regulation (GDPR). This law applies to all the organizations and individuals providing services in all the member states of the European Union and as well as the foreign companies and associations providing goods and services to the people of the member states.
Andrus Ansip, vice president for the Digital Single Market issued a statement when the reforms were agreed in December 2015:
“Today’s agreement is a major step towards a Digital Single Market. It will remove barriers and unlock opportunities. The digital future of Europe can only be built on trust. With solid common standards for data protection, people can be sure they are in control of their personal information.”
What is GDPR?
GDPR stands for General Data Protection Regulation. It is a new set of laws and rules designed by the European Union. The main focus and objective of the GDPR reforms is to enable citizens of the member states in the European Union more control over their personal information. Other than that the reforms were introduced to simplify the governing bodies, regulations so both citizens and businesses can benefit from the increasing economy of the digital world.
Almost every human being on this planet uses the internet, the GDPR reforms are introduced to bring more stability in this internet connected world that we live in. In this age, where there’s a high risk of data breaches, GDPR reforms introduced laws regarding personal data, privacy and permissions of data usage which is necessary at this point.
Our whole aspect of life, revolves around the internet and the transmission of data from one device to another. Data is transmitted from-and-to social media companies, banks, stores as well as government agencies. Every one of them utilizes data, it was about time that these laws were introduced to govern the use of data and security.
Every service that we use in our everyday life uses our personal data. Personal data may include, your name, address, credit card numbers and much more. This information that you submit and call yours is analyzed and stored by organizations for an indefinite amount of time. These reforms are introduced to prevent the misuses and exploitation of data submitted by consumers.
GDPR Compliance – What should you know about it?
The Internet is a network of computers that are constantly receiving and forwarding data from different networks and computer systems each second. Sometimes vulnerabilities show up in a network a computer is connected to which are exploited that results in data breaches.
The perpetrator steals information or makes sure you lose your information or disrupts the functionality of your computer through malware. In any case, you lose precious amount of time and data trying to fix that vulnerability.
If an organization wants to conduct business activities inside the European Union, that organization will have to be GDPR compliant. GDPR compliance requires organizations to ensure that personal data that they are gathering is collected legally and under strict conditions.
They also have to care about the security of the data being submitted, any breach or data loss will be fined as per the law of GDPR. In order to stay compliant under the GDPR, they have to respect the rights of data owners as per the regulations stated in the GDPR reforms.
Who does the GDPR apply to?
GDPR is eligible on any organization that is established and is providing goods and services inside Europe. It does not stop there, it is also eligible on those organizations that are established outside Europe Union but provides services or conduct business transactions with those living in the European Union. The GDPR legislation will force each and every major organization to provide high quality security and privacy to the consumers.
There are more than two types of data handlers, stated in the GDPR reforms. One is the term “Processor” and the other term is “Controller”. Both of these are mentioned and explained in the Article 4 of the General Data Protection Regulation (GDPR). For your ease, they are explained below.
A controller is a person or an organization that decides the medium and sends data for example through submitting an online form. According to the GDPR reforms the controller has to specify the purpose of processing personal data. Whereas the processor is an individual or an organization or a third party affiliated with the controller that processes data on behalf of controller.
GDPR implements legal laws on a processor on how to maintain records of personal data. If let’s say it’s a payment gateway that processes your credit card credentials. If the data is breached they will have much more on their plate than they ask for, if they do not have the proper security to keep the consumer data safe.
What does the term “Personal Data” in GDPR refer to?
The term “Personal Data” under the previous legislation referred to none other than the things that you already knew such as your name, address, email etc. However, with the introduction of the GDPR, the meaning of personal data is extended, anything that relates to you or is in your use qualifies as your personal data.
IP addresses are also considered to be a part of your personal data. Sensitive information such as biometric information or any information that can identify an individual from one another is also considered to be part of personal data.
When will the GDPR be applied?
GDPR is supposed to be implemented across the European Union from 25th May 2018. All of the nations under the European Union are expected to have implemented the GDPR reforms into their own national law.
It has already been implemented throughout the European Union, Organizations are required to comply with the GDPR reforms and make the necessary changes in order to continue to conduct their business in the European Union.
GDPR for Businesses – What does it mean?
One law was implemented by the GDPR across the European Union, which applies to companies and associations doing business within the member states of the Union. However, this does not mean that the rest of the companies that are established and functional outside of Europe do not lie in the eligibility criteria for the GDPR.
Any company or organization whether it is established outside Europe but provides services to the people of Europe has to comply with GDPR in order to do so. The reach of the law does not end within the vicinity of the European Union.
International organizations will have to comply with the law in order to conduct business activities in the European Union. This reform promotes overall security of data submitted by the consumers, due to this organizations will be forced to implement methods of collecting that, that is considered to be secure and which will prioritize the data security and privacy of consumer as number one.
GDPR for Citizens – What does it mean?
Throughout the evolution of the internet, there have been many security breaches which resulted in information being lost or exploited. Companies operate through the consumer’s data and whenever such breach occurs, only the consumers suffer. Some of their personal information has been leaked on the internet which was supposed to be safe and secure.
One of the main changes GDPR has implemented that customers will have a privilege to know if their information has been hacked or stolen. Organizations are required to inform the national bodies as soon as the breach occurs so that EU natives can take different measures to secure or delete their information from being misused or exploited.
Organizations are required to specify how they utilize the data that they collect from their consumers and are advised to give the rights to amend delete and change the information that is stored on their databases.
GDPR breach notification – Explained
When GDPR comes in action, one of the most important thing that GDPR improvised was the breach notification. As the name suggests, organizations are required strictly to notify if a data breach, unapproved access of individual information must be reported to the person who is responsible to keeping that data secure. Organizations are also required to spread awareness to their users if their organization has been breached through emails or any means necessary.
Under the GDPR reforms, the organization must inform the relevant overseer within 72 hours of the breach occurring. If the breach is more serious and severe the customers or the public must be notified instantly. GDPR legislation states that customers and users of the service should be made aware of the breach without any delay.
GDPR fines and penalties for non-compliance
GDPR fines and penalties are developed in such a way, that it is compelling every organization towards them and forced them to take the reforms more seriously. The fines for not complying with the reforms can start ranging from 10 million euros to a whopping 4% of the organization’s global revenue being generated which for some organizations can be up to billions of euros.
There’s still a bit leniency in the fines being charged for not complying with the reforms. The fines and punishments are totally dependent upon how severe the breach was and how much efforts the organization made to keep the data secure and safe from such vulnerabilities and exploitation’s.
The fines may vary if you do not comply with the other rules other than securing the information from data breaches. If an organization ignores the rights of the data owners, or transfers the data to an international organization or even transfers it to its own secure place without the authorization is charged with the fine ranging from 20 million euros to 4 percent of company’s global revenue.
In the scenario, where the company fails to handle data, fails to report a data breach, doesn’t include privacy and security into their product design for their consumers or does not hire a data protection officer for maintaining the data they collect will be fined a minimum of 10 million euros to a maximum of 2 percent global revenue.
As a perspective of an average consumer of internet services and organizations. GDPR is a good initiative which promotes the security and protection of personal data. Organizations being held responsible if a data breach occurs hasn’t been seen in a while.
It’s reassuring and cheering, with the implementation of GDPR, we will be able to have some sort of satisfaction while submitting our personal details to an organization, from being misused or exploited through data breaches.