What is GDPR and how did it come about?
The
General Data Protection Regulation (GDPR) is a regulation that was enacted by
the Council of European Union, the European Commission and the European
Parliament with the aim of strengthening personal data protection for people
living with the EU. It is an upgrade of the 1998 Data Protection Act and seeks
to address new ways of exploiting people’s data as introduced by the cloud and
internet technology. For instance, your name, credit card number, address and
phone number are collected, analysed and stored by organizations such as ,banks,
governments, social media companies and retailers. Therefore, the GDPR was
enacted to give people more control over their personal data. The European
Union hopes to build trust in the growing digital economy by strengthening data
protection and privacy legislation and enforcing tough compliance measures.
Additionally, the EU seeks to provide businesses with a clear and simple legal
operating environment by using this legal framework.
What is GDPR compliance?
Data
breaches occur daily; information gets stolen, lost or risks being used
maliciously in the wrong hands. Under the GDPR, organizations are required to
gather personal data under strict and legal conditions. Moreover, those who
collect and manage the data are tasked to protect it from exploitation and
misuse while respecting the rights and wishes of data owners to avoid facing
hefty penalties.
Under the
current data protection act, personal data includes, photos, address, and name.
The GDPR expanded personal data definition to include biometric data, genetic
data and IP addresses that can be processed to distinctively identify a person.
The GDPR Compliance Services will take effect in all EU member state on May 25, 2018.
What does GDPR mean for businesses and consumers?
The GDPR
applies to companies conducting business activities with Europeans whether they
are based within the EU region or not. The regulation recommends that privacy
controls and data protection safeguards should be built into products and services
at their initial development stages. Also, businesses are encouraged to utilize
techniques like pseudonymmization to protect their customers’ privacy.
For
consumers, the GDPR gives them the right to know when their personal data such
as, social security number, health records, and email addresses have been
hacked or exposed on the internet without their consent. Organizations will be
required to notifying the relevant national bodies immediately any data is
hacked to ensure that the affected citizens take preventive measures to protect
their personal information. Organizations are also required to detail how they
use consumers’ data in a simple and comprehendible manner.
Summary
Companies
must implement the right organizational and technical measures as per the GDPR
provisions that advocate for governance and accountability. These measures include,
but are not limited to documenting processed activities and data protection
provisions, conducting internal audits, reviewing organization’s privacy and
security policies and ensure staff training on security and privacy.