Are you an individual who worries about your personal data while transacting online?
Are you an organization doing business? Do you think about protecting your customer’s personal data? If not, are you ready to pay fines up to 4% of annual global turnover or more?
Users personal data is in danger. Organizations handling data are in danger. Neither of them knows what is the right way to process and protect this personal data. This article is an attempt to educate you about what GDPR is and how it impacts all of us as individuals and organizations.
Personal Data Security
Given the great technological advancements, globalization and complex flows of personal data, users are increasingly worried about the security of their personal data online. Today, keying in a phone number or email address might reveal users’ personal information at the click of a button, if this data falls in the hands of an irresponsible organization. Are not governments worried? Are there any laws and regulations to protect users?
What is GDPR
The European Union's new General Data Protection Regulation (GDPR) came into effect on May 25, 2018. The GDPR will apply to organizations processing personal data in the EU and also to organizations outside of the EU who may be targeting, or offering goods and services to individuals within the EU. This regulation gives control to individuals over their data by letting them choose how their data is handled online. GDPR highlights how personal data is captured by organizations and documented, how it is processed and what changes are required to the systems, processing users' personal data to comply with GDPR requirements.
What GDPR means to Individuals and Organizations
Individuals use many products - be it mobile apps or websites. GDPR expects organizations owning these products to notify users how their personal information is consumed within the products. Products working with third party partners must have a personal data policy and a privacy policy to ensure there is no threat to the data when it changes hands from one entity to another.
Basic Definitions
Personal Data
Any information related to a natural person, that can be used to directly or indirectly to identify the person is Personal Data.
It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
Data processor
The entity processing on behalf of and in accordance with the instructions of a data controller.
Data controller
The entity deciding the means and purpose of the processing of personal data.
What will change?
Under the GDPR, the obligations on data controllers will substantially increase and, importantly, data processors will also now have data protection obligations. For example:
- Data controllers and processors alike will now be required to keep records of their processing.
- Contracts with processors will need to be updated with new mandatory provisions. Privacy notices will need to be updated.
- “Consent” will be more difficult to obtain and may need to be refreshed.
- Principles of “privacy by design” mean that organisations must look at their processing and assess whether it is imperative.
Privacy rules around the world are tightening. The GDPR is just one example of a regime change which aims to put the rights of the individual first. Many of the principles are similar in privacy regimes around the world, but the GDPR is often stricter. Although compliance with the GDPR will not guarantee compliance with all privacy regimes across the globe, it will help to reduce global risks.