When it comes to data processing, European citizens will have extended rights from May 2018. At the same time, organisations which operate in the continent will have more obligations to fulfil.
The General Data Protection Regulation came into effect on 25th May 2016. From then on, any entity in Europe has to adapt their infrastructure to the new law in two years. Otherwise, from 25 May 2018, they can be penalised.
Penalties and fines will be heavy. There are fines of a maximum of €20 Million or up to 4% of the annual turnover of a company which does not comply with the legal requirements.
The Gartner firm affirms that more than 50% of organisations which operate in Europe won’t adapt their infrastructure to the new law for the 25th May 2018. However, all residents in the European Union will have new rights when it comes to data processing. Let’s see the 5 essential keys of the new General Data Protection Regulation.
1. What is the purpose of the GDPR?
Simplify and unify the right to data protection of European citizens. Moreover, the law provides more protection coverage to people, as before the new GDPR, every country had their own rules about data processing.
Citizens will have full ability to make decisions and take action over their data, while companies and entities (which are running in Europe) won’t have problems with regulators of every country when processing data of their clients across Europe. Another benefit for companies is that they will take advantage of selling in a single digital market.
2. Who is affected by this law?
The GDPR affects any organisation, state or institution that processes data of European residents. Also, the law affects any of those who are not based in the European Union, but they process data of European residents. International organisations with European clients or users must assign a data officer, who should be based in the European Union.
3. The right to be forgotten
This right started with a jurisprudence of the Court of Justice of the European Union on 13th May 2014. That day, the justice determined that the Spaniard, Mario Costeja, was right when he asked to delete a piece of information that damaged his image and was published by La Vanguardia.
The court highlighted that any digital media and search engines like Google are data processors, so, as long as deleting the information does not violate the freedom of expression of the publisher, European residents can apply for removal of information that affects their privacy and honour.
The GDPR is conceived to provide more guarantees to European citizens. So, the right to be forgotten is in this regulatory framework.
4. The right of data portability
From the implementation date, 25th May 2018, entities must provide personal data to their clients and users who ask for it. European residents will be allowed to transfer this data to another organisation without any obstacle. The flow of information will be easier among entities, which also promotes changing service providers and competition inside the European market.
However, this right concerns to any data provided by users, and also generated by their activities. For example, the data gathered when a user visits and buys something online.
For these reasons, those who are in charge of data processing should adapt their infrastructure to this law as they must be ready to respond to portability of data requests. For example, entities can create applications for users who want to download their data and transfer it to another organisation.
5. Active responsibility and the consent of data
With the new GDPR, entities will have an active role in data processing. Tacit consent to gather information from users and clients won’t be allowed anymore. In a few months, European residents must know if an organisation is going to collect their data. So, on the Internet, users will start to check a box to give consent for this purpose. Saying nothing or unticked boxes won’t be valid with the new regulation.
If organisations gather users and clients data for various purposes, they should request consent for each purpose. So, any request of personal data needs to be explicit and concise. One of the objectives of the European general data protection regulation is to avoid organisations causing damage which is hard to repair for European users.
When it comes to metadata, we talked about how easy it is to violate citizens privacy through data gathered with tacit consent. This violation is considered a damage “hard to repair” for regulators of this legal framework.
6. The one-stop shop [Bonus extra]
Each state will have their independent Supervisory Authority (SA) where citizens can claim and report complaints about data processing. So, each SA will investigate if complaints are local or transnational. In case there are discrepancies among SA and the party concerned, the competent authority would be the European Committee for privacy protection.
In summary, European citizens will regain control over this personal information with places like a one-stop shop. Nowadays this is good news, as most people handle a large quantity of data through their devices.
Latest posts by Sarah Santiago (see all)
- This is the Internet, the oasis in which we live in - November 7, 2017
- Stories of cybersecurity that will stop you sleeping - October 30, 2017
- HackHotel 2017, conclusions after the first National Convention of Cybersecurity in Hotels - October 16, 2017