As you have likely noticed from all the emails in your inbox with the subject: “Our Privacy Policies are Changing!”, the General Data Protection Regulation (GDPR) Privacy Law is now in full effect. In a nutshell, this law is intended to help users take more control over what data is collected about them from organizations that they interact with.
Specifically targeted towards those organizations that exist in or do business in the European Union (EU), GDPR also applies to everyone who processes personal data from citizens within the EU as well. This makes abiding by the new privacy law necessary and applicable to organizations outside the territory of the EU.
For those organizations that remain ignorant to the changes affecting them, a maximum fine of 4% of annual global turnover or 20 Million Euro can be imposed. These penalties ensure that infringements such as not getting sufficient customer consent to use their personal data, not keeping records in order and not notifying customers of a breach of their data do not go un-penalized.
Among the major changes are conditions for receiving consent from citizens to collect their personal data. Organizations must outline clearly and intelligibly how their personal information is to be used and receive their consent to process said personal information. It must also be possible for the citizen to revoke their consent at any point in time.
On that note, one new right being given to citizens is their “Right to be Forgotten”. While this may seem unlikely in a world where so much of our lives are online, GDPR gives the right to have their personal data erased and halted from any processing via a third party.
One of the most powerful shifts into the hands of the citizen is the “Right to Access”. Meaning that at any point, a citizen can request a confirmation of what, if any data is being processed, what specifically it is being used for and where that data is being stored. Organizations are responsible for delivering the information, electronically and free of charge. This shift is one of the most important changes of GDPR, giving the citizen full control of their data.
Among other changes, GDPR makes Breach Notification mandatory and forces organizations to notify their customers of any data breach that has resulted in the exposure or compromise of their personal data within 72 hours of discovery. Additionally, to help battle the extent of exposure of potential breaches, organizations are responsible for redesigning their systems to encrypt all personally identifiable information or PII. This information ranges from name and email to connected device details such as local IP address.
The new GDPR law has been fully implemented and has already rendered some organizations incapable of adapting. The benefit of this change has been to place control of personal data back in the hand of the person, not the organization, in addition to holding the organization responsible for the protection of said data, with steep penalties if they do not.
If you have any concerns regarding whether your company is affected by GDPR or are unsure of how to make the necessary changes to become compliant, please reach out to us with your question