April 14th of 2016, the General Data Protection Regulation was approved by the EU Parliament after a four-year debate. The GDPR is a milestone in data protection reform. It will go into effect on May 25th, 2018.
Exactly what is it?
First, the GDPR is not a revolution. It is an evolution because there are parts of the GDPR that remain from prior regulations. These parts are:
- Data minimization
- Respect for individuals
The new components include:
- Individual rights
- Business accountability
- Embedded privacy centric focus
Most important change:
The reach of this updated regulation extends across the entire globe. All EU citizens no matter where they are in the world are protected under the GDPR. Meaning, any business done in the EU and any business done with European citizens must comply with the GDPR.
Who is affected:
Those who will see a major change are data processors and data controllers.
Data controller: Determines the means and purposes of processing personal data.
Data processor: Processes personal data on behalf of the data controller.
Before the GDPR, liability for data processing fell solely onto the data controllers. They were responsible for all data protection noncompliance. Now, data processors must comply with the GDPR otherwise they will face penalties.
How individuals give consent for the use of their personal data will also change under the GDPR. Long gone are the days of pre-ticked consent boxes as forced or “omnibus” consent is no longer allowed. Inactivity will not count as consent as well. The GDPR has also defined at which ages individuals are able to give consent.
- 13 years old and under are never able to give consent
- 13-15 years old generally shouldn’t be able to, however where the law allows it, they can
- 16 years and older are allowed legally to give consent
It is important to understand exactly what personal data is before this new regulation goes into effect. Personal data is data from which a living individual is identifiable by anyone directly or indirectly. These identifiers include a name, a photo, an email address, bank details, posts on social networking, medical information or a computer IP address.
Non-compliance can lead to hefty fines. Fines are based on a tiered system which will take into account how serious the infringements are. In the most serious cases, you could get fined up to 4% of annual global turnover or 20 million pounds (close to 28 million American dollars).
This article is just a quick overview of the GDPR, it is a very in-depth but important new regulation that is quite beneficial to individuals. Learn more on the official GDPR website. Tell us what you think in the comments below!