If you felt like every email you have opened this 2018 so far ran along the lines of the title above, it is because of the new General Data Protection Regulation (GDPR) which has just been implemented on 25 May 2018. But what is GDPR and how does it affect us?
Technology changes much quicker than our laws can keep up with. Yet there still needs to be rules to protect our personally sensitive data from theft or oversharing. To reduce the confusion of possibly having conflicting data protection laws for each member country of the European Union, the EU has passed the GDPR, also known as the General Data Protection Regulation, to replace the old Data Protection Act of 1998.
This is good news for citizens of the EU but it may change the ways of how some companies collect, store, and use customer data. If a company does not comply to these regulations, then they can be fined with up to 20 million Euros, or four percent (4%) of their global revenue, whichever is bigger.
This new set of rules will give EU citizens more control over their personal data. They will know be able to access their data stored by companies and find out where, and for what purposes it is being used.
The general idea is to give users privacy by default. Instead of being required to dig through menus to opt out of handing your data over, companies will now be required to ask you to opt in.
The law prevents companies from collecting information about things like your race, ethnicity, political views, religious beliefs or sexual orientation unless they get your explicit consent. And even if you do give it, you can delete that data whenever you like.
Spotify, Facebook, Google, Netflix, Apple, Amazon, your bank, your travel agent; basically any company with customers in the EU, even if the company itself is not based in the EU. For some companies like Facebook and Microsoft have said to even apply the new EU privacy law across the board, including to its customers outside the EU.
Companies cannot use data without clear user consent or track the user. Data must only be used for the purpose it was collected for. GDPR limits how data is collected, used, and shared.
Data breach notifications must be informed within 72 hours after incidents.
Users’ have the right to view their own personal data and request for copies of it.
Users’ data should be permanently deleted or erased on demand.
Users can ask to share, transfer, or reuse their own personal data. When doing so, the personal data must be provided or transferred in a machine-readable electronic format.
Companies must secure personal data and their infrastructure should support this.
So if you are an institution or have more than 250 employees, then you need to appoint a professional data protection officer who oversees that the company is doing everything possible to protect personal data.