Crystal clear #9: What is GDPR?

25.10.2017

The new European GDPR legislation is intended to provide better protection for the citizen’s privacy. What does this mean in concrete terms, and what impact will it have on users and companies?  A brief overview of the key issues is provided below. 

1. What is GDPR?

GDPR stands for General Data Protection Regulation. This European regulation replaces the Data Protection Directive 95/46/EC from 1995.

The aim is to protect the citizen’s privacy better and to lay down uniform rules for the entire EU. The citizen will gain more control over how his personal data are used.  Moreover, the GDPR establishes a clear legal structure, a standard that applies throughout Europe, so that companies know how they have to act to guarantee privacy

Read here what GDPR really determines.

 

2. Who falls under the scope of application of the GDPR?

Every organization, every company, every governmental authority that collects and processes personal data of European citizens must apply the GDPR, irrespective of the country where the company or the organization is established. An American company that works with data of European users must comply with these rules also. When you have a physical or online shop and collect the addresses of your customers to send them a mailing regularly by post or electronically, you fall under the scope of GDPR. 

The definition of personal data is important here. The regulation speaks about Personal Identification Information or PII.  This is not only your name, address, identity card number, national register number, and date of birth, but also digital data such as location, IP address, cookie data, RFID tags.  Health data also fall under PII, as do genetic, biometric, racial and ethnic data, sexual orientation and political opinion. 

3. When will GDPR enter into force?

This new European regulation will enter into force on 25 May 2018 in all Member States. The governments of the individual member states may not introduce any supplementary regulations themselves – GDPR is directly binding and applicable.

4. How prepared is your company for GDPR?

  • Go over your operating processes.
  • Check which data you collect and how you store them. Do you have the necessary supporting documents of the user’s consent? Is the data processing covered by one of the exceptional cases where no explicit consent is required?
  • Create a register of how you process data.
  • Carry out a risk assessment: what can go wrong, and how can you prevent it?
  • Establish a procedure for any possible incident (break in, leakage, etc.) where data are exposed. Test the procedure.
  • Work out a process for permanent monitoring: your company must remain compliant with GDPR in the future also.

5. What if you are not compliant with GDPR?

Well, things won’t get that far, you say to yourself, and you just continue sending advertising e-mails to the list of addresses that you bought a while ago… Well, that could cost you a great deal of money!

The fines imposed on those who breach GDPR are sizeable, and can amount to 4% of the worldwide turnover, with a maximum of €20 million.  So it is in your best interest to take GDPR seriously. This will require quite a lot of work, particularly in the beginning. But the biggest advantage is that the same GDPR rules apply throughout Europe, so you comply at once with the privacy legislation for all European countries!

More information is available from the Privacy Committee which has also devised a register for the processing activities.

Internet business