GDPR (General Data Protection Regulation) is a European Union regulation designed to enhance the protection of EU citizens’ personal data. It is valid and compulsory for all organizations that collect, process or store personal data of Europeans. GDPR comes into force on 25 May 2018. The aim of GDPR is to protect the personal data of EU citizens.
Who is concerned by the GDPR? Who has to be GDPR compliant?
The obligation to fulfil the requirements for personal data protection given by the GDPR concerns every entrepreneurs, businesses and organizations that collect, process or store personal data of citizens of the European Union. This concerns not only European organizations and businesses but also any non-European organization or business that operates on the European market.
Since every company with at least one employee has to process personal data, the GDPR obligations concern virtually every business entity.
What data does the GDPR apply to?
The GDPR applies to any personal data collected by the organization, such as
- employees’ personal data
- customers’ personal data
- suppliers’ personal data
- other people’ personal data
The GDPR expands the term of personal data to the following personal details:
- name and surname
- age and date of birth
- marital status
- email address
- telephone number
- state-issued identification information (e.g. social security number, ID card, passport number, etc.)
- IP address
- other sensitive data, genetic and biometric data (we will continuously keep refining)
What does GDPR mean for companies and organizations?
On 25 May 2018, all organizations and businesses must have revised their processes, procedures, records, software applications and information systems where some personal data is stored or processed. They must implement organizational, procedural and technical measures in order to comply with the GDPR requirements. Furthermore, they will have to be able to:
- prove that they are only processing personal data for a particular purpose
- demonstrate the way of handling personal information throughout the process of data processing
- keep records of data in a secure and verifiable manner and manage access to it
- in some cases, in the event of security breach (in other words, leak of personal information) they will have to notify the supervisory authority, sometimes together with data subjects (people) concerned
If an organization does not have an appropriate tool, an information system, software or application, it may result in a substantial administrative burden.
From a certain size, organizations and businesses will have the obligation to establish an independent position referred to as DPO (Data Protection Officer) whose task is to supervise the GDPR compliance, i.e. personal data handling.
The regulation introduces heavy fines that can reach up to 4% of the total revenue of the company, or up to EUR 20 million.
What does GDPR mean for people, for every one of us?
It means that the fundamental rights of every citizen of the European Union, as a customer and/or an employee, will get strengthened. It doesn’t matter if the organization that stores the personal data is headquartered in the European Union or somewhere else in the world, the GDPR applies to every entity keeping records of personal data of the European citizens. The Regulation gives to the European citizens for example the right to get information about what personal data is stored by the company and how it is processed or right for erasure of this data.
- right to access their personal information - a person (i.e. data subject) has the right to know what personal data is being kept by the organization or businees (or data controller)
- right to data portability - personal data can be taken along, e.g. while changing employer
- right to erasure - the company (data controller) has to delete the personal data as soon as there is no longer a reason to store it