GDPR is a European regulation regarding the use and process of personal data and after a 2-year implementation period, it comes to be put into force from May 25th 2018 onward.

Some annoying daily facts..

How often do you receive emails from companies you never heard of, but in some way are connected to what you have been searching for a few hours back? How often do you see ads when you surf the internet that can be annoying or reminding you of something you have visited before?

Just the other day I was checking out my instagram feed and I counted one sponsored post every 6 posts I would see!

The spam emails we receive, ads that are being shown to us most of the times derive from the collection & process of our data (with or without of consent.)

Early Legislation

European countries such as Austria, France, started taking measures and implemented regulations for controlling the use of personal data decades ago.
This trend started during late 1960 to 1980 and it was then that the European Council started the framework of standards in order to “prevent unfair collection and processing of personal information”

In 1995, Data Protection Directive 95/46/EC was created for the regulation regarding personal data processing.

Timeline of GDPR

In January 2016 the regulation was finalized and adopted by the European Union and European Parliament.

In May 2018 “following a 2-year post-adoption grace period, the GDPR will become fully enforceable throughout the European Union.”

This post is a (perhaps) oversimplified attempt to explain the GDPR implementation from the ‘subject's’ side. Follow the links at the end for more information and always seek professional legal advice should you intend to use any of the information contained herein.

What is GDPR?

GDPR is the acronym for General Data Protection Regulation.

GDPR seeks to give people more control over how organizations use their data, and introduced hefty penalties for organizations that fail to comply with the rules, and for those that suffer data breaches. It also ensures data protection law is almost identical across the EU.

source

Why is there a reform of the data protection rules that was valid since 1995?

There have been many differences in the way that each European State Member would implement the Data Protection Directive; thus the need to a more consistent & robust way of data process and to ensure that people’s personal information & rights are protected.

This regulation comes to protect individual rights and sets protection standards on a global level.

The reform aims to put people into having more control over their own data and will create trust between the companies and the users.

Which are the fundamental rights of the citizens?

- The user will have the right to be forgotten

The user has the right to ask for their data to be deleted once and for all. The data should be removed and not kept provided that there are no other grounds for their use.

The proposed provisions on the "right to be forgotten" are very clear: freedom of expression, as well as historical and scientific research are safeguarded

- The user will be able to have easier access to their own data

The user is entitled to request and be informed about the data being gathered, stored, processed by the company.

If you check in a hotel and they have your personal info, contact details, nationality, birthday, marital status, address etc
you will have the right to ask them to provide you with your own information and proceed to any actions you instruct them (see below)

- The user has the right to know if there has been a breach in the company that holds their data. It is obligatory for a company to inform the authorities & the customers in case of data hack.

Any organization that stores users date and is either hacked or is a data breach in their system, is obliged by law to inform their national supervisory authority and inform the individuals as soon as possible (within 72 hours) This will allow the users to take any immediate measures in order to prevent any implications.
(Imagine a hotel that stores the credit cards of their guests; any breach in their system should be immediately communicated to their customers)

- The user now will have the right to transfer their data (data portability) between companies

Individuals will have the ability to access and move their data from one company to another. Imagine a your mobile phone provider and that you need to move to another one (for any reasons). You now need to make a new contract for this new service to be provided to you.
With this right, you will be able to ask from your previous provider to transfer all your data to the new provider and then delete them.

- The user will be eligible to have their data protected (by design and by default)

The company or organization is obliged to explicitly declare the way to store and use the individual’s data. Only when the user has provided their consent, can the company access and process the data (in the way they have previously stated)

What do the above mean for the businesses:

The regulation has become more clear and allows the companies to establish certain procedures in order to be able to store and process data in a lawful way.
More by the official press release

The data protection reform package helps the Digital Single Market realize this potential through:
One continent, one law: a single, pan-European law for data protection, replacing the current inconsistent patchwork of national laws. Companies will deal with one law, not 28. The benefits are estimated at €2.3 billion per year.
One-stop-shop: a 'one-stop-shop' for businesses: companies will only have to deal with one single supervisory authority, not 28, making it simpler and cheaper for companies to do business in the EU.
The same rules for all companies – regardless of where they are established: Today European companies have to adhere to stricter standards than companies established outside the EU but also doing business in our Single Market. With the reform companies based outside of Europe will have to apply the same rules when they offer goods or services on the EU market. This creates a level playing field.
Technological neutrality: the Regulation enables innovation to continue to thrive under the new rules.

What happens if there are infringements found?

As per article 83, failing to comply with the GDPR, the organizations are subject to very high fines

Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher

The need of a new, highly specialized job; the Data Protection Officer (DPO)

In order for the organizations and companies to be GDPR compliant, they will need to employ a Data Protection Officer who should be aware of the implementation of the regulation and who will make sure that all necessary measures & procedures are being kept.

I suggest that we all take some time and read the regulation, whether we are in the user/business/officer category.

I am thinking of creating two more posts, one for the DPO’s qualifications & duties and another one for companies and how they will be properly inform.

Feel free to follow the below links for more information and let me know of any remarks and questions you may have.

source iapp.org European Privacy
source: eugdpr.org
source : Data Protection in the EU
Press Release
Official Regulation

Use of CC0 images kindly provided by pixabay
https://pixabay.com/en/europe-gdpr-data-privacy-3225247/
https://pixabay.com/en/european-gdpr-legislation-general-3233707/

• news
• regulation
• europe
• personaldata
• gdpr