What is General Data Protections Regulation (GDPR)?

By Ashley Watters, Abshier House

The General Data Protections Regulation (GDPR) is a ruling intended to protect the data of citizens within the European Union. The GDPR is a move by The Council of the European Union, European Parliament, and European Commission to provide citizens with a greater level of control over their personal data.

After several years of refining and debating, the regulation was officially approved by European Parliament on April 14, 2016. The EU has allowed a two-year transition period for organizations to reach compliance. As of May 25, 2018, heavy fines will be levied against any business who does not meet the guidelines set forth by the GDPR.

gdpr

Who will be affected by the GDPR?

The GDPR has far-reaching implications for all citizens of the European Union and businesses operating within the EU, regardless of physical location. If businesses hope to offer goods or services to citizens of the EU, they will be subject to the penalties imposed by the GDPR. In addition, any business that holds personal data of EU citizens can be held accountable under the GDPR.

What sort of data will fall under the General Data Protections Regulation?

  • Name
  • Photo
  • Email address
  • Social media posts
  • Personal medical information
  • IP addresses
  • Bank details

The GDPR covers any information that can be classified as personal details or that can be used to determine your identity. Parental consent will be required to process any data relating to children ages 16 and under.

The regulation specifies the entities that will be impacted by the GDPR. The wording specifically includes data processors and data controllers. What does this mean? Information that is stored in a “cloud” or in a separate physical location is still subject to penalties. Regardless of who has determined how your information will be used and who actually uses it, fines can still be imposed for misuse if it concerns the data of EU citizens.

Penalties for not complying with GDPR

Businesses that fail to comply with GDPR will be subject to fines starting in May of 2018. This can mean different things for businesses depending on the level of infraction. On the high end, businesses may be required to pay up to 4 percent of their global turnover, or 20 million Euro, whichever is highest. Companies may also be fined 2 percent for not taking appropriate measures to keep records in order. Ultimately, the fine will depend on the nature of the infraction.

Data breaches and the GDPR

A data breach is any situation where an outside entity gains access to user data without the permission of the individual. Data breaches often involve the malicious use of data against users.

If a data breach should occur, the GDPR specifies that companies must provide adequate notification. The affected company has 72 hours to notify the appropriate data protection agency and must inform affected individuals “without undue delay.”

Uncertain politics and the GDPR

In an uncertain political climate, many companies and citizens are concerned about how they will be affected by the GDPR given the undetermined nature of Brexit. Companies operating in the UK are encouraged to take measures to comply with the GDPR. Although these companies may not be subject to the GDPR, EUGDPR.org states that “The UK Government has indicated it will implement an equivalent or alternative legal mechanisms.”

If you believe you will be operating in the UK but not in other EU countries, you are still encouraged to prepare for the GDPR as the UK is expected to follow suit with similar data protection legislation.