You are probably already aware of the General Data Privacy Regulation (GDPR) which has been in effect in the European Union since May 25, 2018.
The GDPR aims to address the increasing number of security breaches, data hacking and theft incidents that have become commonplace on the internet today.
Online consumers and internet users in general are becoming increasingly aware of the value that their data can have to hackers as well as corporations. As a result, the demand for greater transparency and responsiveness from the companies that gather and store users’ personal data has become more and more prevalent.
What is the GDPR?
The GDPR aims to replace an older EU directive, which dates back from 1995 and was adopted before the emergence of social networks, big data, cloud computing and the Internet of Things . The directive is a “Privacy Law” which was transposed into Belgian law on December 8, 1992 and dealt with the protection of privacy in terms of personal data collection as well as processing methods and tools.
It was designed to standardize data protection legislation across the EU (European Union) and impose new, more stringent rules on how personally identifiable information (PII) is collected, processed, and stored.
What is PII (Personally Identifiable Information)?
Personally identifiable information is information relating to the following under the GDPR:
- Sexual orientation
- Public opinions
- Race or ethnicity
- Web data (cookies and IP address)
- Personal Identify information (name, first name, address, etc.
Data privacy in Canada
The Personal Information Protection and Electronic Documents Act (PIPEDA), which is the Canadian equivalent of the GDPR, defines personal data as “any information that can be used to identify an individual”. The regulation includes the following types of data:
- age, name, ID numbers, income, ethnic origin, blood type
- Opinions, evaluations, comments, social status, or disciplinary actions
- Employee files, credit records, loan records, medical records, existence of disputes between customers and vendors, intentions (for example, to acquire goods or services, or change jobs).
Data privacy regulation in the US
Although there are a number of state and federal rules relating to data privacy and protection in the US, it does not currently have an equivalent to the GDPR, nor does it have a central authority that enforces its own regulations.
Who does the GDPR apply to?
At the territorial level, the GDPR applies to all companies engaged in the gathering, processing, and storing of personal data pertaining to individuals in the EU.
Originally, the GDPR applied only to persons in the European Union. However, the regulation now stipulates that any companies which offer goods or services to persons located in the EU (including free services and products) or track their behaviour (e.g. social media platforms, data collection apps, inspection apps, etc.) are subject to compliance with the GDPR.
This means that even tech giants, such as Google, Amazon, and Facebook, are now obligated to comply with the GDPR insofar as they gather, process or store information pertaining to individuals in the EU.
What do companies have to do to comply with the GDPR?
The GDPR is based on the principle of transparency. When companies collect, process or store personal data, they are obliged to do so in a transparent manner. In practice, this means that all persons concerned must be informed in clear and understandable language.
Companies must specify what types of data are collected on users, what collected data is used for, how long it will be stored, who it will (or could) be shared with and what the rights of users are with regards to their data.
All the above must be disclosed in a document on the website of the company in question.
Simply informing customers is no longer adequate according to the new GDPR stipulations. It is now necessary to obtain users’ consent before processing and storing of their personal data may legally take place.
3. Ensuring security and legality of data processing
Companies collecting personal data must ensure that technical and organizational measures have been put in place to secure said data.
4. Compliance with special obligations to inform customers in the event of data breaches
In the event of a data breach, companies that have stored the data of the customers must inform all their customers of such a data breach if the breach poses a significant risk (“high risk”) to their customers’ privacy.
The GDPR enforces greater accountability of companies
The GDPR has incorporated two new concepts into its scope of regulation:
1. Privacy by Design
The first new concept in the GDPR is aimed at ensuring data protection by design. This means that companies which intend to gather and process customer information must consider the privacy of their customers when designing new products or services. It is thus necessary for companies to develop products or services that respect their customers’ privacy.
2. Privacy by Default
The second concept aims at ensuring data protection by default. This means that companies must also proactively ensure that their clients’ privacy is respected and kept intact. In other words, the data privacy of clients must be ensured by companies without customers having to request it. An example of how companies should implement this is by configuring their websites to be as “privacy-friendly” as possible.
Is customer data allowed to leave the EU?
Yes. Data may be transferred to other countries as long as the latter provide a sufficient level of data protection. The level of data protection necessary for such countries to be allowed to be the recipients of data obtained from individuals in the EU must be equivalent to that of the GDPR.
What are customers’ rights under the GDPR?
The following are the rights that customers have under the GDPR:
1. Right of access
Customers and users have the right to ask, at any time, whether their data has been collected.
2. Right of rectification
It must be possible for false or incomplete data to be corrected or completed at any time at the request of customers and users.
3. Right of restriction of processing
Under certain circumstances, customers and users have the right to request the restriction of the processing of their data.
4. Right to erasure of data (or “right to be forgotten”)
Under the GDPR, in certain cases users and customers also have the right to demand that their data be erased.
What is the penalty for non-compliance with the GDPR for companies?The penalty that companies which collect, process, or store the information of individuals in the EU are liable to incur if they fail to comply with the GDPR is 2% of the companies’ worldwide turnover. In some cases, this can amount to millions of euros.