GDPR – General Data Protection Regulation
On May 25, 2018, the new General Regulation of Data Protection (GDPR) came into force. The main objective of this new regulation is to govern the collection, use and exchange of personal data. The amount of data we create every day is growing at an exponential rate, and as the regulation says, “the processing of personal data must be designed to serve humanity.”
Although the regulation came into force at the end of May 2018, it was in fact adopted on April 27, 2016. This gave the companies and other affected entities a “transition period” during which they could prepare for the new requirements (writing new terms and conditions, etc.). From this point onwards, those who violate the provisions will face huge fines; either 20,000,000 EUR or 4% of the annual turnover worldwide, whichever is greater.
The new regulation is a response to the strong demand from Europeans for uniform data protection rights across the EU. The legal term “regulation” means that the GDPR is directly applicable in the member states of the EU; it does not require governments to approve any new legislation. The GDPR will apply to any “data controller” (see below) that is established within the European Union, regardless of whether the processing of the data takes place in the EU or not. In addition, the regulation will apply to companies that are outside the Union, but still manage European data (such as Facebook and Google).
The GDPR infers certain key rights over the “data subject”. First, if there is a data breach, individuals must be notified within 72 hours of the violation being detected by the processor or data controller. Those concerned will also have the right to access information on the use of their personal data, as well as the data itself, if requested.
The “right to delete” will also be introduced, which means that an individual can request the data controller to delete the data they own (subject to certain conditions). The last right we want to mention is the idea of “privacy by design”. This has been around for a while, but it is becoming a legal requirement in the GDPR. Basically, it requires data protection to be included when designing technology systems, rather than as an “add-on”.
Consent is one of the key areas that has been amplified and strengthened. Companies will no longer be able to use only the terms and conditions of a page to obtain consent. The consent now requires “a clear affirmative act, which establishes a free, specific, informed and unequivocal indication of the agreement of the interested party with the processing of personal data”. One of the key ideas of this is that individuals must be aware of how their data will be used and who will use it. It is important to note that prior consent is no longer valid, which explains why you may have notice “our data policy is changing…” messages from the applications you use, such as Facebook and Instagram.
KEY TERMS AND PRINCIPLES:
Here are some key terms and principles that you are likely to hear more often with the GDPR now in effect:
- Data Controller: the organization that collects the data.
- Data Processor: often a third party responsible for collecting data on behalf of the controller.
- Data Subject: the individual whose data is being used.
- Profiling: Profiling is the process of using personal data to evaluate certain personal aspects to analyze and predict behavior/performance/reliability, etc.
- Pseudonymization/pseudonymization: the pseudonymization process is an alternative to data anonymization. While anonymization involves the complete elimination of all identifiable information, pseudonymization aims to eliminate the link between a set of data and the identity of the individual. Pseudonymization examples are encryption and tokenization.