The General Data Protection Regulation (GDPR) is a European Union regulation to protect the security of citizens. Specifically in respect to personal data processing and the free movement of all relevant personal data. Labeled ‘Regulation (EU) 2016/679’, the European Commission. The European Parliament, and the European Council seek to strengthen and centralize data and privacy protection for all individuals residing within the Union.
The GDPR directive does not require national governments’ authorization to become binding legislation. When it takes effect, it will replace Directive 95/46/C that was passed in 1995. The GDPR is ostensibly designed to provide individuals with a much greater degree of control over all their personal data.
GDPR is monumental
The GDPR will be applicable within the Union starting May 25th, 2018 after a transition period of two years. This is the most important and monumental change in EU data privacy regulations in over two decades. Motivated in response to the growing multi-faceted levels of threats faced by all those residing in the Union. Data privacy laws all across Europe are being unified, at the same time businesses must drastically alter the way they deal with data privacy.
As the GDPR applies to personal data, clearly defining the term personal data becomes crucial. In essence, any information that can be used to identify an individual is considered personal data. This includes IP addresses, email addresses, bank information, photographs, social media profiles, social media posts, and any other information the regulators deem relevant.
The GDPR comes with extended jurisdiction
Unlike its predecessor, the GDPR comes with extra-territorial jurisdiction. The directive is applicable to all companies that process and store personal, private data of any individual who has taken up residence in the Union irrespective of the company’s location. With regard to its predecessor, location ambiguity is a major problem that the GDPR seeks to rectify. It is applicable to the processors and controllers located physically in the EU that process personal data irrespective of whether the processing actually occurs in the Union.
The GDPR unifies privacy laws across the Union
Every member state of the Union will set up an independent, country-based Supervisory Authority (SA), a unified code of rules will be applicable to every state in the Union. A Supervisory Authority will be the lead authority in a particular location. An independent European Data Protection Board (EDPB) is also being setup.
What about data consent?
The large legal documents that make up the terms and conditions for most websites will no longer be legally binding in the Union due to the long, unreadable, and often illegible nature of these documents. Request for consent must be provided in an easily accessible manner, and there must be complete clarity regarding the matter. In addition, individuals must have the ability to withdraw consent as easily as they had given it. Articles 4, 7, and 8 deal with the issue of consent. All consent related documents must be clear, easily readable, simple, and in plain language.
The new regulations have considerably strengthened rights of individuals. Companies will be unable to mishandle sensitive personal data anymore. Doing so will lead to a large fine of up to 4% of a company’s annual turnover.
Moreover, organizations storing personal information about their customers, are liable. A penetration test or a PenTest can effectively uncover security weaknesses. It is also a good practice to provide regular security awareness training for employees.