This is a blog post, that is meant to paint in broad strokes an understanding of what GDPR is.
Almost every website or web app you access today is in your face about new terms and conditions they are rolling out and will like to make you aware and/or seek your permission.
The current reason behind this change is due in part to GDPR. What it is? why now? Find out more in the writeup.
What is the GDPR?
This is the “General Data Protection Regulation" approved by European Union member states on the 14th of April 2016.
A regulation meant to harmonize data privacy laws across the EU. Granting all EU citizens extreme control over their data privacy and reshapes the way Organizations handle data privacy.
Why are you now seeing GDPR notifications.
Main reason will be because the date from which GDPR compliance will be compulsory is approaching. This date falls on the 25th of May 2018. Companies & Businesses in the EU or having clients in the EU are fervently doing all they can to make sure they are compliant before the date or face steep penalties. Which could be 4% of their global turnover or 20 million euros or which ever is greater.
It is this flurry of activities that make actions towards GDPR compliance more visible.
According to a survey conducted in 2016 by PwC, 68% of US based companies are expected to spend between 1-10 millions dollars to meet GDPR requirements. Another 9% of US companies, are expected to spend more than 10 million dollars.
What TYPE of DATA does the GDPR cover?
Any and all type of data that can uniquely identify an individual is covered under GDPR.
- Basic Identity: Name, Age etc
- Web Data, Geo Data, IP, cookies
- Health and genetic data
- Racial & Political
- Sexual Orientation
What are the key areas GDPR covers?
The underlining element to consider is Data Protection, in that data protection is a fundamental right. As such, all persons have the right to have their data protected, the right to defend their personal data and the right to move their data without restriction or hinderance.
The scope of the GDPR applies to the processing of data, automated or otherwise which form part of a filing system or intended to form part of one.
Data of individuals that are citizens of EU member states.
A Business entity that has presence in the EU.
Business entities that process/handle data of EU member state citizens.
This affords consumers total control over their data.
- Consumers should be able to access all their data, in storage or being processed.
- Should be able to tell what their data is being used for.
- Has the right to be forgotten and prevent 3rd party’s from accessing their data.
- Should be able to transfer their data to another service provider.
- Consent should be easy to give and withdraw,
Terms and Conditions should be clear in meaning, and not bundled up with one another, ie. consent for “A” shouldn’t be bundled up as consent for “B”.
Another area that the GDPR covers, has to do with mandatory disclosure. This means any business or entity that falls under the purview of the GDPR has a maximum of 72 hours to disclose incidents of data breaches.