What is GDPR? The EU’s new General Data Protection Regulation
The General Data Protection Regulation is a new EU-wide law that will strengthen the data and privacy rights of EU citizens once it becomes effective on May 25, 2018. As a novelty, the GDPR introduces the right to portability of personal data, which will allow a customer to share the personal data which he/she has provided to a company with other companies with which he/she engages.
The new GDPR, which seeks to enhance security and protection for consumer data, replaces the previous Data Protection Directive of 1995 and will require member states to amend their respective data protection regulations (the LOPD or Organic Law on Data Protection, in the case of Spain). For this purpose, it defines new requirements for companies operating in Europe in all sectors.
The new regulation places special importance on the consent to the processing of data. From this moment, it will be essential from a data portability point of view. Consent will also essential on certain occasions to process personal data.
What does GDPR change?
This regulation extends the scope of European legislation on data protection, covering non-European companies offering goods and services to residents in Europe.
Also, firms will become fully liable for the management of personal data: protection will be core in the design of all data processes and companies will be required to set up their services with maximum security by default.
In addition, penalties resulting from data protection breaches will increase significantly, and may reach significant figures (up to 4% of the annual global turnover of the affected company.)
Also, companies where data processing is a fundamental part of their main business will be required to appoint a Data Protection Officer (DPO).
The three key elements of the GDPR
- Consent
For processing specific types of data, companies will be required to request specific, informed, unequivocal and, in some cases, explicit consent from its customers/users.
The consent will not be necessary when the processing of the data by the company corresponds to a legitimate interest. For example, in direct marketing activities, or initiatives aimed at improving activity, or prevent fraud.
- Data portability and right to be forgotten
GDPR, as a novelty, introduces the right to portability and the right to be forgotten. In this way, a consumer can request a company to provide all the personal data that this company has on him/her.
This data should be transmitted in a structured, commonly used and machine-readable format, directly to the other companies (at the request of the consumer) when technically feasible. The right to be forgotten entitles the data subject to have the data controller erase or block his/her personal data.
- Security and traceability
For certain data processes, companies will be required to create certification mechanisms defined by law, aimed at reducing the legal risk and building up customer trust.
What does it mean if it is a regulation?
Regulations are binding regulatory acts; i.e., they must be applied in their entirety without the need for their transposition into domestic laws. These regulations become immediately enforceable as law in all member states simultaneously (in some cases with transition periods).