Everything you need to know about GDPR

The General Data Protection Regulation, or GDPR, is one of the most important pieces of legislation ever passed for IT departments.

Approved by the European Union in April 2016 and set to come into force in the UK on May 25th, 2018, GDPR is hugely significant for businesses of all sizes as it will greatly affect how they gather, store, and look after their data.

The key tenets of GDPR concern the privacy rights of everyday users and the data they create online, and look to bring together several existing laws and regulations to harmonize rulings across the European Union.

Under GDPR, companies will also have to be more upfront when collecting the personal data of customers – meaning consent will need to be explicitly given, as well as the gatherers needing to detail the exact purpose that this data will be used for.

This personal data will also need to be encrypted by default as part of a process known as pseudonymisation, meaning that it cannot be linked to a specific person without being accompanied by extra information.

Personal data applies to a wide range of information – effectively anything that could be used to directly or indirectly identify a person online. This could include names, email addresses, images, bank details, posts on social networking websites, medical information, or even a computer IP address.

Users will also have the right to know exactly what details a company or organization holds about them, and also request that any of this information be deleted if they feel their rights to privacy are being infringed as part of the new “right to erasure”.

Companies that suffer data breaches, whether accidental or as part of a cyber-attack, will need to disclose this event to the relevant within 72 hours of it happening – although there is no requirement to notify users unless instructed.

Any organisation found to not be conforming to the new regulation after the May 25th deadline could face heavy fines, equivalent to four percent of annual global turnover, or €20 million – whichever is greater.

What does GDPR stand for?

GDPR stands for General Data Protection Regulation, also officially known as EU Regulation 2016/679.

Does GDPR replace the DPA?

Yes, GDPR will replace the UK’s existing Data Protection Act, which was first drawn up in 1984.

GDPR is also designed to replace the Data Protection Directive, which initially came into force in 1995, as the EU looks to bring together different regulations and legislation across the continent.

When will GDPR come into force?

GDPR will become enforceable from 25 May 2018, following a two-year transition period.

Being a regulation rather than a directive, GDPR doesn’t require enabling laws to be passed by member states.

Why is GDPR important?

GDPR is the largest and most comprehensive piece of data regulation ever passed by the European Union, and as mentioned, seeks to unify several pre-existing pieces of legislation.

Because data protection concerns stretch across national boundaries, the introduction of GDPR seeks not just to regulate data within the EU. It seeks to extend EU data protection law to any organisation holding information on EU citizens, even if that organisation is based outside the EU.

For businesses, GDPR means keeping a much tighter rein on the data they possess, and should also improve security awareness and protection levels for many. It also affects how companies collect and hold data on individuals such as customers, and governs the export of personal data beyond the EU’s boundaries.

For consumers, GDPR gives them much more clearly defined privacy protection when online. Companies will now have to give explicit notice when asking for personal information, and what they use these details for. Under GDPR, consumers also get a “right to erasure”, which is a step up from the current “right to be forgotten”, meaning they can apply to have information about them publish online removed.

Who does GDPR apply to? Is my business affected by GDPR?

Short answer – yes. If you are a business that deals with online data in any way, you will need to comply with GDPR before next year’s deadline.

As mentioned before, if you fail to bring your organisation up to speed before May 25th, 2018, the EU rules state that you can be fined up to four per cent of annual global turnover, or €20 Million – whichever is greater.

Businesses will need to be able to demonstrate that they comply with the principles. To do this they’ll need to have documentation in place that shows how they’re processing data, they may also need to appoint a data protection officer.

Is GDPR retrospective?

No – the European Union adopted the two-year transition period in order to provide businesses with the time needed to ensure they are up to speed with GDPR.

– EU GDPR website – a central repository for everything you need to know about GDPR

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. The key articles of the GDPR, as well as information on its business impact, can be found throughout this site

– EU GDPR FAQs – answers to some of the most pressing GDPR questions

Frequently Asked Questions about the incoming GDPR.

Source: https://www.itproportal.com