If you have any questions regarding the European Union's upcoming General Data Protection Regulation, then you have come to the right place! In this blog we will be answering some of the most popular questions you have about GDPR and what it means for both businesses and the general consumer.
Let's get started!
What is GDPR?
The General Data Protection Regulation is a new data privacy law being imposed by the European Union that will replace the former Data Protection Directive 95/46/EC. This regulation will unify all the different data privacy laws currently present in the E.U. under one single regulation. With GDPR comes various new data privacy and storage requirements that companies must make sure they adhere to in order to assure their compliance with the regulation.
Do companies based in countries outside of the E.U. have to worry about GDPR?
Yes. Any company that deals with the personal information of E.U. residents is required to comply with GDPR. If your company collects, processes, and/or stores any of this data, then you must make sure you have the proper procedures in place for compliance.
What classifies as "personal data?"
Personal information can be defined as any information that can be used to identify the contact either directly or indirectly. GDPR also applies to what it calls "special categories of personal data," which is data that is more sensitive than ordinary personal data. Special category data can include information regarding race, religion, genetics, health, sexual orientation, and more.
What are the rights individuals have in regard to their personal data?
The principal rights that all individuals have in regard to the processing and storage of their personal data under GDPR are:
- The right to be informed
- The right of access
- The right to rectification
- The right of erasure
- The right to object
- The right of data portability
- The right to restrict processing
- Rights in relation to automated decision-making
What does "legal basis" mean?
The purpose for which the data is being processed constitutes the legal basis for processing. You must be able to identify a legal reason for why it is necessary for you to process someone's personal data. Otherwise, you will processing the data unlawfully and could become subject to punitive fines of up to $20,000,000. Examples of legal bases for processing include:
- If the individual provided explicit consent
- If it is necessary to fulfill a contract with the individual
- If it is necessary to comply with the law
- If it is necessary to protect their vital interests
- If it is necessary to perform a task in the public interest
- If your organization has a legitimate interest in the processing
What is a DPO?
A DPO is a data protection officer. Your organization may need to assign a data protection officer if you are a public authority or if you carry out large-scale monitoring of individuals' information. You may also need to assign a DPO if you carry out large-scale processing of special category data or data related to criminal offenses.
The DPO can be an existing employee or can be externally appointed. They are responsible for helping to monitor compliance and can be a source of information regarding data protection, along with their other tasks.
How long after a data breach do companies have to notify their clients?
Under GDPR, it is mandatory for companies to notify their clients and anyone affected within 72 hours (if feasible) of any breach of personal data. You only need to send notifications if the breach is likely to compromise the rights and freedoms of those individuals. You must also keep a record of all personal data breaches, even if notifications are not required.
When will GDPR begin to be enforced?
The General Data Protection will begin to be enforced on May 25, 2018.
Still have questions?
If you would like to learn more about GDPR and what it may mean for you, be sure to sign up for SimplyCast's seven-week email course! The course began April 4, however, if you sign up now you will receive any emails already sent as well as any still due to come out.
Additionally, you can contact us if you have any questions related to GDPR or any other part of SimplyCast!