The General Data Protection Regulation: Europe Leads the Way
In May 2018 the European Union enacted the General Data Protection Regulation. Abbreviated to GDPR, this regulation launched much discussion about who owns your personal information, what rights individuals have related to data about themselves and what steps companies must take in order to keep personal data private.
How Did GDPR Originate?
Data privacy has been a long-standing topic throughout the world. With the growing popularity of computing and an increasing emphasis on digital communication, the Organisation for Economic Co-operation and Development (OECD) began to examine the rights of individuals with respect to their data in 1980. The result was a series of data handling principles that, in 1995, eventually formed the foundation of the Data Protection Directive (DPD).
The DPD was the first EU-wide data privacy effort and the precursor to the General Data Protection Regulation. It began defining personally identifiable information (PII), stated that use of the data must be transparent and proportional to permission given, called for regulatory bodies in the member states and addressed the transfer of data to third countries (non-EU countries).
While this was a strong initial effort, technology has evolved since the DPD was designed. The General Data Protection Regulation was crafted to modernize and expand upon its intent. Additionally, as a regulation, GDPR immediately became law in all member states, which had not been the case with DPD.
To Whom Does the General Data Protection Regulation Apply?
In one sense GDPR is a global law. The requirements stated within apply to any company that processes data of European Union citizens. For example, if a company operating in the United States uses data belonging to a citizen of Germany, it must operate within the guidelines established by GDPR.
So, it’s not about where you are or what business you’re in; rather, it’s about whose data your business uses.
What Does the GDPR State?
The General Data Protection Regulation standardizes what is allowed in terms of processing and controlling personal data. Obviously, there are fine details that should be reviewed by your legal team, but at its heart, it:
Broadens the definition of personally identifiable information to state that this is any data that can be used to identify someone. The scope now includes information like fingerprint scans, IP addresses and more.
Expands individual rights. EU citizens now have the right to know when their data is collected and how their data will be used. They have the right to request their data be deleted, as well as to request access to or a copy of their data.
Extends responsibility to both data controllers and data processors. Now both are responsible for safeguarding personal data. And, a data protection officer may be required to oversee related processes.
Demands quick response to security breaches. Companies must now notify people who are impacted by a data breach within 72 hours of learning about the breach.