What is the GDPR?
After four years of preparation and debate, the GDPR finally comes to power from May 25, 2018. Designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy, the EU General Data Protection Regulation (GDPR) controls how businesses handle personal information about their customers.
Whom does it affect?
“Personal data” can be defined broadly as any information that can be traced back to an individual, ranging from IP addresses to social identities. GDPR applies to data not only within the EU, but extends to all businesses that hold data about EU citizens, even outside the EU. It allows EU residents to question organizations about the source of their personal data, to unsubscribe from its marketing or to completely delete their records.
What are the compliance metrics?
GDPR requires organizations to:
- Ensure transparency in the handling and use of personal data
- Limit personal data processing to specified, legitimate, and intended purposes only
- Enable individuals to correct or request deletion of their personal data
- Limit the storage of personally identifiable data for only if it’s necessary for the intended purpose
- Ensure personal data is protected using appropriate security practices
What are the penalties of non-compliance?
The breach of GDPR regulations can be fined up to 4% of the annual global turnover or 20€ million, whichever is greater. The government has a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment.