Table of Contents
Definition GDPR (General Data Protection Regulation)
GDPR, the abbreviation of the General Data Protection Regulation, is legislation that will update and unify data privacy laws throughout the European Union (EU). GDPR was approved by the EU Parliament on April 14, 2016, and entered into force on May 25, 2018.
The GDPR replaces the EU Data Protection Directive of 1995. The new directive focuses on keeping companies more transparent and extending the privacy rights of interested parties.
When a severe data breach is detected, this general data protection regulation requires the company to notify all affected persons. And the supervisory authority within 72 hours.
The mandates of the rule apply to all data produced by EU citizens. Regardless of whether the company that collects the data in question is in the EU or not. As well as all the people whose data gets stored in the EU, independently whether or not they are EU citizens.
Process of GDPR
Under the GDPR, companies cannot legally process the personally identifiable information of any person without meeting at least one of the six conditions.
- Express the consent of the subject of the data.
- Processing is necessary for the execution of a contract with the interested party or to take measures to conclude a contract.
- It is necessary to comply with a legal obligation.
- Processing is necessary to protect the vital interests of an interested party or another person.
- Processing is necessary for the presentation of a task carried out in the public interest or the exercise of the official authority conferred on the controller.
- The processing is necessary for the legitimate interests pursued by the controller or a third party. Except when said interests are void by the interests, rights or freedoms of the interested party.
Also, companies that carry out data processing or supervise interested parties on a large scale should appoint a data protection officer (DPO). The DPO is the figure responsible for data governance and for ensuring that the company complies with the GDRP.
If a company does not comply with the GDPR when the regulation enters into force. The legal consequences may include fines of up to 20 million euros or 4 percent of the company’s annual global turnover.
According to the GDPR, the rights of the interested parties include:
Right to be forgotten
Interested parties may request the deletion of their identification data from the storage of a company. The company has the right to refuse applications if they can successfully demonstrate the legal basis of their rejection.
Right of access
Interested parties can review the data that an organization has stored about them.
Right to object
Data subjects may refuse a company’s permission to use or process the subject’s data. The company can ignore rejection. If it can meet one of the legal conditions to process the personal data of the item. But must notify the subject and explain its reasoning to do so.
Right to rectification
Data subjects can expect inaccurate personal information to be corrected.
Portability right
Data subjects can access the personal data that a company has about them and transfer them.
Some critics have expressed concern about the UK’s upcoming withdrawal from the EU and wonder if this will affect the country’s compliance with the GDPR. At the time of writing, the United Kingdom has to update the Data Protection Act of 1998 with a new law. That is called the Data Protection Act 2017.
Companies in the United Kingdom often do business with customers or other organizations in the EU member states, companies in the United Kingdom are still expected to have to comply with the general data protection regulation, either directly or through a “fitness test” acceptable to European authorities.