What is the GDPR?
The GDPR, which stands for the General Data Protection Regulation, is the new European data protection law. Protection of personal data is a fundamental right within the European Union.
“Everyone has the right to the protection of personal data concerning him or her“ — Charter of Fundamental Rights of the European Union.
The new law came into effect on 27 April 2016, but with a transition period until 25 May 2018. It is the most important change in this domain in the last 20 years.
Why the GDPR?
The film below provides a clear summary of why the GDPR was so necessary:
The GDPR will end the patchwork of legislation that currently applies in the 28 member states and will lead to a harmonisation of data protection within Europe. In this sense, the GDPR legislation is part of a bigger Digital Single Market Strategy.
Besides the harmonisation of the legal framework, the GDPR has three objectives:
- The GDPR increases the rights of individuals
- The GDPR strengthens the obligations for businesses
- The GDPR dramatically increases the possible sanction in the event of non-compliance with the law. Data protection regulators can impose fines of up to €20,000,000, or 4% of the total global revenue. Furthermore, the regulator has the option to impose a (temporary) ban on data transfer, class action lawsuits can be started, and companies can suffer enormous reputational damage.
Is the GDPR a game-changer?
It should be clear that non-compliance with the GDPR is not an option. What’s more, the GDPR will have a global impact on almost every organisation for both staff and contacts, also those outside the EU. The GDPR will be a differentiator: consumers will choose to do business with companies that are fully GDPR-compliant rather than with those that cannot guarantee the GDPR.
In this post, we will examine the GDPR in-depth for you, as a natural person.
What exactly are ‘personal data’?
The term 'personal data' is related to the personal information that can be used to identify you, either directly or indirectly, such as your name, your phone number, your e-mail address, place of birth, or date of birth. An IP address is also now part of ‘personal data’.
What are your rights as a natural person in the EU?
When your personal data are being processed, you have enforceable rights, including:
- The right to be informed that your personal data are being processed, in clear and understandable language;
- The right to access your own data;
- The right to correct wrong information or incomplete information;
- The right, in certain cases, to submit an objection to the processing of data, on legitimate grounds;
- The right not to be subjected to an automated decision to evaluate certain personal data in relation to aspects such as your performance at work, credit score, trustworthiness, conduct, etc.
- The right to compensation from those responsible for your data if you suffer any harm.
With the GDPR, we must differentiate between data controllers, who are the owners of the data, and data processors who work with your data. Both have obligations.
What are the obligations of the data controller?
The obligations of a data controller (i.e. an entity in the public or private sector that is responsible for personal data) are as follows:
- To ensure that your rights are safeguarded (in other words, that you are kept up-to-date, and are given access to your data)
- To ensure that the data are only collected for specified, explicit and legitimate purposes, that they are accurate and up-to-date and not kept for any longer than necessary
- To guarantee that the criteria for the legitimate processing of data are met, for example when giving permission for something, when signing a contract, for legal obligations, etc.
- To guarantee confidentiality in data processing
- To guarantee the security in data processing
- (In certain cases) to notify the authorities that are responsible for personal data protection, and
- To ensure that, when data are transferred to countries outside the EU, these countries guarantee an adequate level of protection.
If you have the role of a data controller, we advise you to start a risk assessment and a vendor assessment immediately, if you have not already done so.
What can you do in the event of an infringement of your rights?
You can submit an application to the data protection authorities, which are located in all member states. These authorities are responsible for guaranteeing that your rights and obligations are respected. They also have the power to hear your complaint and potentially prohibit data from being processed.
You also have the opportunity for legal redress for every infringement of the rights and obligations, as guaranteed by national law.
The European Data Protection Supervisor is responsible for supervising the processing activities that are carried out by the Community’s institutions or organs.
In a subsequent post, we will look at the following questions in more detail:
- What does the GDPR mean for your organisation?
- How do you implement the GDPR in your organisation, and what are DPO, DPA, and DPIA?
- What should you do in the event of a data breach?
- What is the GDPR going to cost me?
- What is the influence of the GDPR on social networks?