The Cambridge Analytica scandal, that revealed that Facebook failed to protect 50 million of its users, brings more attention to the General Data Protection Regulation (GDPR). In the last couple of months, more and more companies and people began to wonder what the GDPR will change, but with this scandal, GDPR is all over the place.
On 25 May 2018, the General Data Protection Regulation (GDPR) will be enforced across Europe. It took four years to prepare the regulation and more than two years to get to enforcement date. But now it`s a fact – from 25 May 2018 ahead organizations in non-compliance may face heavy fines.
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe. The main purpose is to give citizens more control over their data and to create a common set of rules for organizations across the region concerning data privacy.
The GDPR applies to companies or entities which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed. It also applies to companies established outside the EU offering goods/services (paid or for free) or monitoring the behavior of individuals in the EU.
Main elements of the GDPR
The GDPR sets a series of rights of the data subject. We should keep in mind that it refers to the right of access by the data subject, rectification, and erasure – “the right to be forgotten” – or the right to the restriction of processing. People will also have the right to data portability and to object and automated individual decision-making.
When processing personal data, the data controller must respect three key principles:
– fair and lawful processing;
– purpose limitation;
– data minimization and data retention.
No more “I agree” to a vague statement
People surfing the internet to browse websites are probably familiar with clicking ‘I agree’ to a vague statement of intent that pops up on your screen and mentions something about cookies. The consent rules of the GDPR will change and it will be mandatory to be explicitly and specifically for each operation – the data controllers can`t ask for your consent for any kind processing, it must be clear and limited. Also, they are not in title to collect and process more data than what is needed for the declared and legal purpose of the processing. Regarding direct marketing, GDPR allows processing information as long as the consumer benefits from an opt-out system.
The GDPR also specifies that the consent can be withdrawn, must be free, valid, informed and pro-active.
Data that will be forbidden to be processed
From May 25th 2018, it will be forbidden to process personal data revealing racial or ethnic origin, political opinions, religious confession or philosophical beliefs, or membership of trade unions and genetic data processing, biometric data to uniquely identify an individual, data on health or data on the sexual life or sexual orientation of a natural person.
GDPR provides a number of scenarios where processing of such data is allowed with a number of precautions.
Under the GDPR, the data processor needs to respect a series of conditions. If they miss to reach them, a series of sanctions can be imposed. They can vary from a warning in writing in cases of first and non-intentional noncompliance, to regular periodic data protection audits or to a fine up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater, if there has been an infringement of the following provisions.
You can find out more information regarding the GDPR here.