What is it?
A European Union regulation designed to give people more control over their personal data and to define how organizations must process such data.
Why is it important?
The GDPR expands the scope of data protection globally. This is important because it applies to many more organizations than previous regulations. In particular, the GDPR applies to any entity that has an establishment (any place of business) in the European Union and collects or processes personal data about any person in the world. And it applies to any entity that collects or processes personal data from a person in the European Union, regardless of where that entity is based.
Why does a business professional need to know this?
The EU GDPR is the most significant change in data privacy regulation in the European Union since 1995. It affects the overall risk and security management processes of any company that collects or processes information from a person in the European Union. Business professionals worldwide, not just in the EU, need to deal with the GDPR.
Key elements of the GDPR, which became effective in May 2018, include the following:
- Territorial scope: GDPR applies to all companies in the EU and overseas that do business with citizens of the EU, regardless of whether their data processing occurs in the EU or elsewhere.
- Penalties: Organizations that breach the GDPR can be fined up to the greater of 4% of annual global turnover or €20 Million.
- Consent: The GDPR requires terms and conditions related to personal data to be clear and free of unintelligible terms and legalese.
- Data breach notification: Any breach must be reported to authorities within 72 hours.
- Right to access: Consumers have the right to know what their data is being used for and to receive a copy of their data.
- Right to be forgotten: Also known as the “right to erasure,” this says that consumers may request that their data be erased. This right comes with some qualifications.
- Data portability: Consumers can access their data and send it to another company, again with some qualifications.
- Data Protection Officers and Privacy Impact Assessment: Organizations that engage in large-scale monitoring or processing of sensitive personal data, or which are public authorities, must have a single person responsible for compliance.
The GDPR represents a major change to the way that personal data must be handled. All companies, worldwide, should look closely at their operations; there are provisions in the GDPR that, if not carefully followed, could lead to steep fines. All organizations need to conduct a comprehensive audit to ensure that they collect, store, manage, and use personal data in accordance with the GDPR.