What is the upcoming GDPR?

On the 25th of May, 2018 a new regulation known as the General Data Protection Regulation (GDPR) will come into effect across the European Union.

The rule, as many industry watchers predict is going to have far-reaching effects and will define how data are solicited by companies, how these data are used, and how long organizations can keep these data. The GDPR seeks to protect individuals resident in the EU and give them greater control over their personal information. It is the most comprehensive regulation concerning privacy protection.

What exactly is this GDPR?

The GDPR is a data protection rule within the EU laws that are intended to strengthen and streamline data protection regulations across the Union. It applies to both EU organizations and non-EU companies (of any size) as long as their operational processes involve soliciting, processing and tracking data from EU citizens; making it genuinely global.

Key Principles of GDPR

As you prepare your organization to become GDPR compliant, here are some of the essential topic-areas to take note of:

Data controllers and processors

Once the GDPR comes into effect, all data handling firms are classified as either processors or controllers.

It’s imperative to note that, though the bulk of responsibility on how data is used lies with the controller, the processor is in some instances liable for complying with specific legal requirements. For instance, the processor is expected to put in place system that guarantees the integrity, confidentiality, security, availability, and resilience of all data they are handling. While the controller may or may not be directly involved in the processing and management of data at all, they nonetheless are liable for the use of those data; since they are the ones issuing directives on what to do with them.

Expanded definition of personal data

Under the GDPR, the interpretation of personal data includes all personally identifiable information (PII) such as name, birth date, passport number, etc.  And also those data we typically don’t regard as PII such as device Ids and IP addresses.

Other essential parts of the GDPR regulation include:

EU citizens have the right to request a copy of their personal data, ask for the data to be updated, deleted, restricted, or even move to another organization.

All data handling organizations must keep personal data in their possession up to date and accurate and also it should not be held longer than necessary.

Personal data should be collected to fulfill a specific purpose and should not be used in a manner outside the initial goal of obtaining it. Also, companies must state explicitly to what purpose they need the data.

Organizations collecting data must ensure they are safe and secure; large companies or organizations performing certain types of functions are mandated to have a data protection officer.

Obtaining Consent for data

The GDPR stipulates that organizations relying on consent to process data must as a mandate, make the request clear and easily understood. Also, the specifics and purpose of the request stated explicitly. This means that consent is no-longer assumed by default due to non-response, or silence or by just a box tick – it must be given freely and explicitly by the individual.