May 25, 2018 will be a major date for companies operating in the EU that save, share, or collect personal data, as this is the date that the General Data Protection Regulation ("GDPR") goes into effect.
In fact, you might have already noticed that Google, Facebook and other big internet-companies have updated their privacy settings in recent weeks.
"Personal data" is any data relating to an identified or identifiable person. The GDPR establishes new rules for data privacy and personal data, and the regulation will end the (sometimes vast) differences in data protection between the different EU-countries.
The GDPR applies to any company that has activities in the EU, regardless of whether or not the actual processing takes place in the EU.
In addition to the well-known Right to Erasure, or more often referred to as "Right to be Forgotten" (Art. 17 of the GDPR), there are numerous other provisions that will require companies to revise their platforms and practices.. Of note is the requirement that a company be able to present evidence of its compliance with the new regulation upon request. Companies must have a designated Data Protection Officer within the company, if the processed data is of a special category under the GDPR or if the processing is of large scale. An earlier draft where the position of a data protection officer was only mandatory for companies with over 250 employees was dismissed.
Each company will also need to file a record of processing activities, in which the purpose of the processing, the category of recipients and data subjects are laid out. This will also help with the requirement that companies account for all data usage.
Companies will need to have a security plan for collected data, which should address the company's protocol in the event of a breach. Most importantly all data needs to be stored on servers located in the EU and data breaches must be reported within 72 hours of discovery. Also companies must allow their customers to export their data and delete it at any time.
With the GDPR, the consequences of a data breach have also become more expensive. Under Art. 83 of the Regulation, the authorities are now allowed to fine a company up to 20 Million Euros or 4% of their annual turnover for a data breach. The amount of the fine is determined by the severity of the breach, whether there was intent or neglect by the company, how the controller works to clear up the breach, and any previous breaches. Additionally each individual whose data was affected by the breach has the right to compensation under the regulation.
No comments:
Post a Comment