What Is the GDPR?

The General Data Protection Regulation (GDPR) creates a “one-stop shop” approach to data protection laws across the European Economic Area (EEA) and will come into effect on May 25, 2018. The GDPR, which will replace the current EU Data Protection Directive as the overarching data privacy framework, enhances the protection of EU residents’ personal data and increases the obligations of organizations regarding the collection and processing of personal data.

The EU General Data Protection Regulation (GDPR) is a major step in digital privacy and is the result of a long process settled in European values. It is the most important change in data privacy regulation in 20 years. The 99 legal articles in the Regulation aim at strengthening laws on data protection, thereby giving EU citizens control over their personal data, while emphasizing the ideas of freedom, security, and equality within the European Union. The General Data Protection Regulation (GDPR) should impact nearly any data-driven business in the European Digital Single Market

 

On May 25, the power balance will shift towards consumers, thanks to a European privacy law that restricts how personal data is collected and handled. The rule, called General Data Protection Regulation or GDPR, focuses on ensuring that users know, understand, and consent to the data collected about them. Under GDPR, pages of fine print won’t suffice. Neither will be forcing users to click yes in order to sign up.

Instead, companies must be clear and concise about their collection and use of personal data like full name, home address, location data, IP address, or the identifier that tracks web and app use on smartphones. Companies have to spell out why the data is being collected and whether it will be used to create profiles of people’s actions and habits. Moreover, consumers will gain the right to access data companies store about them, the right to correct inaccurate information, and the right to limit the use of decisions made by algorithms, among others. In short, the law is a chance to flip the economics of the industry. Since the dawn of the commercial web, companies have been financially incentivized to hoover up data and monetize later. Now, EU consumers will have the freedom to opt in, rather than the burden of opting out. That emphasis on consent creates a financial reward to building consumer trust.

Here´s what you should know about the Rules for the protection of personal data inside and outside the EU.

The new data protection package adopted in May 2016 aims at making Europe fit for the digital age. More than 90% of Europeans say they want the same data protection rights across the EU and regardless of where their data is processed.

The General Data Protection Regulation (GDPR)

Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. Directive (EU) 2016/680 on the protection of natural persons regarding the processing of personal data connected with criminal offenses or the execution of criminal penalties, and on the free movement of such data.

The directive protects citizens’ fundamental right to data protection whenever personal data is used by criminal law enforcement authorities. It will, in particular, ensure that the personal data of victims, witnesses, and suspects of the crime are duly protected and will facilitate cross-border cooperation in the fight against crime and terrorism.

What is Personal Data?

“Personal data” means data of an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, or an online identifier

The broad scope of personal data, therefore, also includes IP addresses, device IDs, and advertising IDs

 

Representatives from each supervisory Authority, the Board ensures the application of the regulation, but also advises other entities on how to protect users and impose sanctions. It cooperates with the European Commission, but is independent and has its own power

Option to have your data transferred to another controller, in which case the data controller must hand your data in a readable format to your new entity, public authority, company or person who decides why, how and what data needs to be collected and processed.

Information collected from you that can be used to identify you like a credit card number, a telephone number, physical information or simply a name etc.

A leak of data, a hack, or any other event where the security of your personal data has been compromised and which leads to the misuse, destruction, or illegal use of your data.

Process of evaluation of the risks and the level of protection of your personal data

The collection and handling of personal data.

The action of modifying or completing your data when it is not correct or complete

The request on your part, as a data subject, for a limitation to the access and handling of your data to the controller.

Part of the expanded rights of data subjects outlined by the General Data Protection Regulation is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift to data transparency and empowerment of data subjects.

Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. It should also be noted that this right requires controllers to compare the subjects’ rights to “the public interest in the availability of the data” when considering such requests.

Privacy by design as a concept has existed for years now, but it is only just becoming part of a legal requirement with the General Data Protection Regulation. At it’s core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition

An entity which monitors the application of the regulation in the State. The government has to provide the means for its functioning but has no influence over it. There must be at least one supervisory authority for each member State. One representative of each supervisory authority takes part in the European Board, to which it responds.

The area where the regulation applies.

Any entity, person, company or country who is involved in the handling of the data outside the data subject, the controller, the processor or an EU entity.