This first blogpost is the start of a Trueson blog series on the new General Data Protection Regulation, or GDPR
(in Dutch: Algemene Verordening Gegevensbescherming, or AVG).
Why a GDPR blog? Because we want to highlight and explain to you some of the important changes coming with the GDPR. We will regularly post new blogposts, each highlighting a different important aspect of the GDPR. This first blogpost will explain what the GDPR is, why it was implemented, and will give an overview of the main changes the GDPR brings.
What is the GDPR? GDPR replaces the Data Protection Directive from 1995 as an answer to societal changes and fast-developing technologies to gather and process personal data. Think of smartwatches, smartphones, cloud services, etc. It is a regulation by which the European Union (EU) intends to strengthen data protection for all individuals within the EU. It is meant to provide EU citizens with more control over what happens with their personal data, and provide businesses with a comprehensive legal structure applicable across all of the EU.
When will GDPR start, and what are the potential fines? The official starting date is 24 May 2016, but enforcement of the GDPR will start on 25 May 2018. From then on, fines for non-compliance can be as high as 4% of the worldwide annual revenue of your company. Hence it is extremely important to take the right measures for your company to comply with the GDPR!
What are the main changes? Some of the most important changes the GDPR brings are:
- Data Processors: The GDPR brings some significant changes for data controller, but especially for data processor businesses. Before GDPR, almost all of the burden of privacy legislations compliance fell upon the data controller companies. Under the GDPR however, processors will get obligations and responsibilities directly, and can be held accountable in case of a data breach as well.
- Data Protection Officers: Many companies will have to appoint a Data Protection Officer (DPO). We will be dedicating a future blogpost to DPO’s.
- Privacy by Design: Data protection must be included from start of the systems designing phase.
- Data Access: Data subjects have the right to request information about their personal data held by companies or authorities.
- Data Portability: Data subjects have the right to transmit their data to another data controller company.
- Right to be Forgotten: Data subjects have the right to get their personal data deleted by companies or authorities.
- Breach Notification: Companies and authorities are obligated to notify data subjects and authorities in case of a data breach. This has to be done within a certain amount of time.
- Consent: Companies and authorities must have the consent of data subjects before they can process personal data.
- Penalties: Authorities can hand out fines for non-compliance as high as 20 million Euros or 4% of the worldwide annual revenue of your company.
- Increased Territorial Scope: The GDPR applies to all companies, wherever they are located, that are processing personal data of EU data subjects.
- Cross-border data transfers: There are new rules concerning cross-border data transfers.
- Profiling: The GDPR brings new rules and restrictions on automated data processing.
- Codes of Conduct, and certifications: GDPR promotes the use of Codes of Conduct and certifications, by which companies demonstrate to authorities and data subjects that they comply with GDPR.
What’s our next GDPR blogpost topic? It is about the nature of Personal Data, its definition in GDPR, and by what standards it may be considered ‘sensitive’.
You can consult the EU GDPR content here.
You may appreciate this article here as well, on the impact of GDPR and the status in many companies.