GDPR (General Data Protection Regulation) is a European Union regulation designed to increase the protection of EU citizens’ personal data. It is valid and compulsory for all organizations that collect, process or store personal data of Europeans. Is efficient from May 25th 2018. The aim of GDPR is to protect the personal data of EU citizens.
Who is concerned by the GDPR? Who has to be GDPR compliant?
The obligation to fulfil the requirements of the protection of personal data in accordance with the GDPR concerns every entrepreneurs, businesses and organisations that collect, process or store personal data of citizens of the European Union. This concerns not only European companies but also any non-European company or organization that operates on the European market.
Since every company with at least one employee has to process personal data, the GDPR obligations concern virtually every business entity.
What data does the GDPR apply to?
The GDPR applies to any personal data collected by the organization, such as
- Personal data of employees
- Personal data of customers
- Personal data of suppliers
- Personal data of other people
The GDPR expands the term of general personal data to the following personal details:
- name and surname
- age and date of birth
- marital status
- email address
- telephone number
- state-issued identification information (eg. social security number, ID card, passport number, etc.)
- IP address
- other sensitive data, genetic and biometric data (we will continuously keep refining)
What does GDPR mean for companies and organizations?
On May 25th, 2018 all companies must have revised their processes, procedures, records, applications and information systems where some personal data is stored or processed. Companies must implement organizational, procedural and technical measures in order to demonstrate compliance with the GDPR requirements. Furthermore, organizations will have to be able to:
- prove that they are only processing personal data for a particular purpose
- demonstrate the way of handling personal information throughout the data processing
- keep records of data in a secure and verifiable manner and to demonstrate who can access them
- in the event of a security breach (in other words, leak of personal information) they will have to notify the supervisory authority and data subjects (people) concerned if necessary
If an organization does not have an appropriate tool, an information system, it will result in a substantial administrative burden. From a certain size, organizations will have the obligation to establish an independent position referred to as DPO (Data Protection Officer) whose task is to supervise the GDPR compliance, i.e. personal data handling.
The regulation introduces heavy fines that can reach up to 4% of the total revenue of the company, or up to EUR 20 million.