The General Data Protection Regulation (GDPR) is the world’s strongest data protection ruleset which is enforced in EU. This law was constructed to improve the protection of an individual’s personal information and it’s handling by the organizations.
GDPR came into the act on 25 May 2018; however, the GDPR was published in EU Official Journal in May 2016. The two year period was given to the businesses and public bodies to prepare for the regulations which were enlisted in the law.
Within this regulation are the rules for businesses and public sector organizations on how to handle the customer’s information. Moreover, it gives privilege to the individuals for their rights and more command over their information.
GDPR Replaces Which Law?
GDPR replaces the previously existing law ‘Data Protection Directive 1995’ in Europe. This directive had struggled in keeping pace with the technological changes.
GDPR is a ruleset for entire Europe but it obliges every member state to implement small changes in their country. Therefore, the UK government has forced a new Data Protection Act (DPA) 2018 which replaces the previous Data Protection Act 1998.
The DPA (2018) was forced in the UK just before the implementation of GDPR. This UK’s act was passed after being officially authorized by the House of Commons and House of Lords.
DPA, in the beginning, had many controversies and confusions. The law was later amended to ensure the protection of cybersecurity researchers who work to expose breaches of personal data after the experts mentioned the law could see their work be criminalized.
However, the politicians pursue to have second Leveson inquiry into press standards in the UK but this was discarded at the very end.
What is The GDPR?
GDPR is the new law set implemented in Europe for data protection laws. The main purpose of GDPR is to implement uniform data privacy laws across Europe. Besides, it targets to introduce better protection and increased rights for individuals.
The GDPR regulation encircles prominent changes for the public as well as the organizations and bodies which deal with the individual’s personal information.
This lawsuit was adopted by the European Parliament and European Council in April 2016 after four years of discussion and negotiations. Then the law was published at the end of the month.
But the law was forced into the act after two years in 2018 to give adequate preparation period to the affected bodies.
Complete GDPR regulation comprises of a total of 99 articles related to the right of individual and obligations placed on the organizations under the regulation.
Who Is Affected By The Law?
Almost every organization, individual and company could be affected by the law. All the entities who are either the controllers or processors of the personal data come under the GDRP regulation.
The ones who are under the DPA law are also subject to the GDPR, as told by the ICO on the official website.
The terms personal data and sensitive personal data both are covered by the GDPR. Personal data is a broader category which is defined as the stuff that could give a clue to an individual’s identity. For instance, the person’s name, email address, or IP address.
The sensitive personal data includes information such as genetic data, information about religious and political views, sexual orientations and others.
These definitions are almost the same as defined in the previous data protection laws. However, the GDPR varies from present data protection laws in a way that pseudonymized personal data can fall under the law if the person could be identified by a pseudonym.
Accountability and Compliance
The GDPR held companies accountable for the way they handle the individual’s data. This may include the data protection policies, data protection impact assessment and having related documents on how data is handled.
According to GDPR laws, the “destruction, loss, alteration, unauthorized disclosure of, or access to” an individual’s data has to be addressed to the state’s data protection regulator when there are chances of a destructive impact on those whose data is involved. The might also include the financial loss, confidential breaches, impact on the reputation or something else but it isn’t limited to it.
It is also necessary to inform ICO about a breach within the time period of 72 hours after the organization gets information about it. Also, they need to share the breach impacts on the people.
The organizations which have more than 250 employees must have documentation on why individual’s information is collected and processed. Also, they need to describe the data which is kept, the time for which it is kept, and information about the posed technical security measures.
Moreover, the organizations that process an individual’s information regularly and systematically on a large scale or they process a lot of sensitive information have to deploy a data protection officer (DPO).
The DPO has to address the senior members of the staff, monitor agreement with GDPR and be a connection point for employees and customers.
There is also a need for organizations to obtain consent to process data in certain situations. In such situations of consent requirement, the organization has to clearly explain the consent which is given and it should be a ‘positive opt-in’.
Here is the blog post from which organizations can look for the situations when individual’s data could be processed without consent.
Rights to Individuals
The GDPR gives more power to individuals to access the information which is held by the organizations around them.
Subject Access Request (SAR) allows people the right to inquire about the data a company or organization is keeping about them. In previous regulation, the access request costs £10 but GDPR removes this cost and makes it absolutely free. When someone attempts a SAR, the businesses must provide the information within one month.
Every individual has the right to confirm that an organization has information about them, approach to the information and any other additional information.
The individuals could also force the removal of their personal data in certain circumstances. For instance, if the purpose of data processing is no longer there if consent is retracted, there is no legal need, or it is processed illegitimately.
The GDPR regulation imposes fines on the businesses and organizations which do not comply with the law. For instance, in the case of a security breach, the absence of a data protection officer, or inappropriate handling of people’s data could result in a fine charge.
GDPR could impose a fine up to €10 million or two percent of a firm’s global turnover on a small offense. The companies with more serious offense could end up with a fine of €20 million or four percent of a firm’s global turnover. However, the UK’s monetary penalties would be decided by the Denham’s office. These penalty charges are greater than the previous one of £500,000 imposed by the ICO.
It is really difficult for businesses to completely comply with the GDPR rules and regulations. There is a guide of ICO to various GDPR rights and principles.
Also, there is a starter guide which encompasses the guidance on steps such as giving awareness to senior business leaders about the regulation, updating process around subject access requests, and what should happen at the moment of a data breach.
You can read the complete GDPR document (88 pages and 99 articles) here.