General Data Protection Regulation (GDPR) is a set of guidelines for data protection across the European Union.
The GDPR requirements aim to unify and strengthen data protection in the EU. It gives consumers better control over the personal data they share online, including a more concrete understanding of how the data is used.
Who must comply with GDPR?
The regulation is universally applied to all member states within the EU.
GDPR requirements for US companies apply to every business that plans to sell its goods/services on the European market, or monitor, collect, and use the data sourced from EU citizens.
GDPR implementation should be the top priority for companies that:
- operate in any of the EU countries
- collect and process the personal data of EU citizens (even if the organization doesn’t have any presence in the EU)
The General Data Protection Regulation for small businesses
Companies with fewer than 250 employees have more amenable regulations in terms of internal record keeping, unless they deal with specific categories of sensitive data or might threaten the rights and freedoms of the data owners, including small and medium size businesses.
GDPR requirements apply to all parties involved in data collection, processing, or storage, including cloud solutions providers.
When does GDPR take effect?
The regulation came into effect on May 25, 2018.
What is personal data in GDPR?
Personal data in GDPR is any data that can directly or indirectly identify a person.
In addition to the traditional personal information (name, email, and physical address), IP address, medical or biometric information, photos, or even social media posts, can be now classified as sensitive.
What is GDPR compliance?
GDPR compliance means that an organization is prepared to implement the required changes to guarantee the expected level of data protection.
What are the basic GDPR requirements?
The data protection requirements under GDPR are as follows:
- lawfulness of data processing
- explicit and informed user consent
- special terms for protection of children’s data
- 72-hour timeframe for data breach reporting
- privacy by design and by default
- transparent and orderly internal data processes
- accountability and professional supervision (managed by a dedicated Data Protection Officer)
The organizations that fail to comply with the new regulation will be subject to financial penalties. The maximum fine will equal 4% of the company’s annual global turnover or €20 Million (whichever is bigger).
The fines will differ depending on the character of the violation.
Actions to take in order to comply with the GDPR requirements:
- Rethink and redesign your user onboarding process.
- Understand what types of information are required, where it will be stored, how it will be used, and who will have access to it.
- Take immediate action in case of a data breach.
- Ensure proper data storage protection through encryption, pseudonymization and anonymization.
- Collect and store as little information as possible.
- Appoint a dedicated Data Protection Officer (DPO).
The basic consumer rights granted by the General Data Protection Regulation:
- The right to know what data will be collected and how it will be used.
- The right to withdraw consent at any time and have your data removed permanently (as defined in the GDPR, “the right to be forgotten”).
- The right to data portability (for example, when switching providers).
- The right to be informed means better data usage awareness as well as timely breach notifications.