General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It also addresses the export of personal data outside the EU and EEA. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU (Wikipedia contributors, 2018, May 25).
GDPR goes live today - and it affects you
The following excerpt summariese GDPR and is from a Paul Matthews ITP CEO in the electronic newsletter ( Matthews, P. ( personal communication, May 25, 2018) GDPR goes live today - and it affects you. ITP Newsline Extra: GDPR goes live today. Institute of IT Professionals, New Zealand).
I bet you've been enjoying the flood of GDPR-related "updated our terms" emails over the last few days as much as I have - hopefully most are done now!
So what's all the fuss about? It's actually a really significant change to the rules around personal data, and it really does affect you.
Here's a quick summary:
- The EU says the changes attempt to "harmonize data privacy laws across Europe, protect and empower all EU citizens data privacy and reshape the way organizations across the region approach data privacy."
- One of the more controversial impacts of the new rules, and the reason it has such a world-wide impact, is what they call the "extra-territorial applicability". This means that it applies to all companies worldwide who are dealing with information about people residing in the EU, even those simply offering goods or services to EU citizens. It hits everyone and it's huge.
- One of the key changes is around consent. Basically if a company is going to store or process personal data such as names, email addresses and the like, it needs to have explicit consent. The small print in the middle of a 10-page "terms and conditions" aren't enough - it has to be in complete plain English.
- The method of consent has to be recorded as well and proper records kept. This is significant - for example, if you have a mailing list you need to be able to show when people opted in and how.
- The fines are huge too. Companies can be fined up to 4% of their annual global turnover for breaches, with big fines for even seemingly minor issues.
- Companies must now also tell people if they've had a breach. We've seen a heap of this lately - people's information being stolen and companies keeping it quiet to try to avoid reputational damage. Do that now and it could cost 2% of global revenue.
- Other changes are familiar to kiwis, such as the right to obtain (free of charge) any information that is being held about them. That's been a part of NZ's Privacy Act for a long time, although the EU law goes further.
- There's heaps more as well, such as the controversial "right to be forgotten" This basically gives EU citizens the right to have Google, for example, remove references to them on searches. And again, the rules apply globally - not just to EU companies.
- The new rules also put into law the concept of "Privacy by design" for software developers. Basically software developers have to show they've built privacy into software from the ground up, not just tagged it on in the end. This has been a long time coming.
So some really important things to think about from a IT Professional perspective as well, even if you're not based in the EU.
References
