Important things you have to know about General Data Privacy Regulation (GDPR)

GDPR is one of the most important issues in the EU. It is, therefore, surprising that there is still not enough clear information and treatment in this regard. The European Parliament has sought to unify the EU-wide data protection legislation with this regulation. The current regulation is from 1995. We all know how much the world (especially digital) has changed since then. Social networks, internet banking, online shopping, and digital healthcare have emerged.

IMPORTANT FACTS

It is important to note that this new regulation is binding for all member states on the date of entry into force. Which means that it will apply in all member states as of May 25, 2018.

The Regulatory only treats personal information, so other information is not affected by this law. At the time of general digitalisation, the question of personal data needs to be re-defined.

Since 10 years ago in one household there was only one computer used by all household members, the IP address (the numeric tag of the device connecting to the internet) was not a personal data. Today, when it is easy to connect an IP address, ie every device that is connected to the Internet with a specific person and its activities, the IP address is definitely personal information.

The regulation applies to all countries outside the EU that use the data of European citizens or sell them goods or services. The message is clear - if you have the benefits of the EU market, you have to respect its rules. The rule applies to all companies that keep and process data.

What changes and what stays the same?

Depending on the size of the company and the amount of data the company owns, it is necessary to name the DPO-data protection officer. The DPO will be able to act solely on the instructions of the company responsible for the data and will have appropriate (most often process and IT) solutions that guarantee the implementation of regulations. DPO must have secured communication with the highest levels of management. The aim is to ensure that data protection is on the agenda of the board of directors of the company.

It is neccessary to take certain actions to prove regulation compilance

Those actions include:
  • adopting detailed processing of data records
  • implementation of appropriate security measures
  • privacy protection
  • Obligation to Appoint Data Protection Officers (DPO)

Under current EU law, individuals have the right to access, correct, delete, and block their data. That right still exists in the new law. The right to suspend direct marketing also remains in the new law. The new law, however, introduces new terms, practices and rights. Enhances individual access and complaint rights.

In GDPR, consumer rights include:
  • Right to information
  • Right to access
  • Right to correction
  • Right to deletion
  • Right to limit processing
  • Right to data transferability
  • Right to objection

Right to deletion is also known as the "right to forget". This entitles an individual to request deletion or removal of personal data.

Right to data transferability enables individuals to obtain and reuse their personal data for their own needs through various services. This allows them to move, copy or transfer personal information easily from one IT environment to another, in a safe and easy way.

Companies will have to notify the competent supervisory body themselves if there is a risk of violation of the rights and freedoms of individuals. We are talking about cases of danger to a significant detrimental effect on individuals - for example, discrimination, reputation damage, financial loss, loss of confidentiality or any other significant deficiency - economic or social. The breach must be reported to the relevant supervisory authority within 72 hours of becoming aware of it.

Consequences

Finally, they are extremely big fines for a law violation. There are different fines for fines, which can be up to 4% of the global annual traffic for the worst data breaches. This means that regulators have a mandatory right to enter private organizations and monitor them. As we can see from the text so far, alignment with the EU directive is very demanding. To achieve compliance, it is essential to make a comprehensive list and categorization of data and a range of qualification indicators pertaining to time, legality, purpose, etc., according to which the data can be easily searched and continuously monitored.

The GDPR Act enters into force in May 2018 and will completely change the way organizations work across Europe to deal with Internet security and data protection responsibilities.