The GDPR (short for General Data Protection Regulations) rules are about to come in effect in two months time. Our article reveals what do they mean for computer users worldwide and how the regulations will impact the IT industry as a whole. Continue reading to learn more about it.
What is the GDPR Policy?
The GDPR regulations are a set of policies that have been in preparation for years in the European Union. In essence they are a complete overhaul of the existing data protection directives and their main goal is to harmonize the laws regarding private data across the member countries. According to the members of Parliament that are behind its creation the new mechanisms will help strengthen control of the data across the union. The debates and preparations ended when the rules were finally approved on 14 April 2016. The agreed enforcement date is 25 May 2018 where the new rules will become mandatory.
The proposed changes and their subsequent effects will ultimately change how both businesses and government organizations will handle the information of their visitors and clients. There are many major changes that will affect the current data privacy laws in the member states as the adoption process is executed. Both politicians and specialists note that this is one of the biggest changes that have come in two decades. When the current laws were proposed and accepted a different type of organization and industry existed. Nowadays as more and more people and client devices are involved in the gathering and procession of personal information arise, so do the possibilities of their abuse.
There is an important distinction between the GDPR regulations and the previous data privacy laws. By nature the GDPR is written as a regulation — a binding legislative act. By law it must be applied entirely across the whole European Union. The previous data privacy acts that it replaces are defined as a directive which are non-mandatory and merely set out goals that the individual countries must achieve.
Upcoming GDPR Regulations Changes
The GDPR regulations are set to dramatically increase their territorial scope in comparison to the previous privacy protection rules. This distinctive part comes forth from the extra-territorial applicability feature as defined by the EU Parliament. This requirement comes from the now extended jurisdiction of the GDPR. The regulations now apply for all companies operating the union that process personal data of data subjects that reside in the EU. The important condition here is that the rules apply regardless of the company’s location. The previous rules regarded the data process by stating “in context of an establishment”. This means that the rules will still affect the outlined companies even if their servers are outside the union. The companies that process personal data of EU customers will be required to appoint a representative in the EU.
Another important aspect of the new rules are the modified consent conditions. The businesses will no longer be able to present long and illegible privacy policies and terms of conditions to their customers. The request for consent are obliged by law to be given in an easily accessible way. A new requirement will be the clear display of the actual data procession purposes. The clients should also be given an easy mechanism to withdraw their consent.
Its important to note that personal data is defined very clearly by the GDPR regulations. There are two main conditions that make it up:
- Possession — Data Subjects (Natural People/EU Citizens) are defined as the creators and proprietors of private information.
- Nature and Capacity — Private data are defined as any information (string or value) that can be used to indirectly or directly expose the identity of a person. Examples includes their name, photo, address, e-mail, bank details, social networking posts, medical information, IP address, location and etc.
In addition to this there are specific conditions for the procession of data of people under the age of 16. The companies and government organizations will need to acquire to have parental consent for all children and citizens under the age of 16 for online services. The member states may legislate for a lower age however it cannot be below the age of 13.
There are two distinctive groups of users that are defined by the GDPR regulations:
- Data Processor — This is the entity that determines the private data collection and procession purposes.
- Data Processor — The processor is the entity that processes the personal data on behalf of the controller.
The GDPR compliant organizations that breach the regulations can be fined up to $% of their annual global turnover or €20 Million – whichever is greater. This is the maximum fine that can be imposed if serious violations are discovered. The new regulations introduce a tiered approach to the financial sanctions. The companies can be fined 2% of their annual global turnover if they do not have the required records or not notifying the authorities about a breach. The rules apply to both data processors and controllers. As a result cloud services will not be exempt from the GDPR enforcement.
Rights of the GDPR Data Subjects
The data subjects defined by the GDPR regulations are also given specific rights. The policy regulates that breach notifications will become mandatory across the whole EU. Such actions are needed in all cases when the incidents are likely to result in “risk for the rights and freedoms of individuals“. A time frame is instituted — the notice must be given within 72 hours of discovery.
The expanded rights of the data subjects also include the right to obtain confirmation from the data controllers whether their personal data are being processed. This includes not only an affirmitaive or negative response, but also a detailed report which includes the purposes and means of the process. The controllers are required to present a copy of all acquired personal data in electronic format free of charge upon request.
Data Erasure enables the Right to be Forgotten which is the request of the data subjects (citizens) to the data controllers for the removal of their personal data, as well as further dissemination (distribution) of it and their access to third parties revoked. The conditions for this are clearly outlined in the act and include the formulation of data that is no longer relevant to the original purpose of procession and withdrawn consent. The consents are approved on condition that the controllers compare the rights of the subjects according to the “the public interest in the availability of the data”.
The regulations also introduce the concept of data portability which is the right of a data subject to receive personal data that concerns them which they have previously provided in a specific form. Defined by the regulations this is a “commonly use and machine readable format“. The data subjects also receive the right to transmit this information to another data controller. This is related to the fact that web services utilize databases that store the provided data in a common format. Upon request the citizens will be able to obtain a copy of their data.
Another concept that is not becoming part of a legal requirement thanks to the GDPR is privacy by design. As a consequence data protection is included in the design of systems as a core component. The data controllers will need to implement effective technical and organizational measures in all web services and computer applications in order to meet the GDPR regulations. An article part of the law prescribes that the controllers should hold and process only the absolutely necessary data to complete the service’s duties. Access to the personal data to third parties should be absolutely limited.
Data Protection Officers (DPOs) Regulations
At the moment the data controllers are required to notify all data processing activities with the local data protection authorities. When it comes to multinational companies operating in several countries this can be really difficult to implement. This is due to the fact that practically all member states implement varying notification requirements. By following the GDPR prescriptions it will not be needed to submit a notification to each local DPA. The law also removes the requirement no notify the relevant authorities or obtain approval for transfers based on the model contract clauses (MCCs).
Instead of this the new mechanisms mandate the coordination of internal record keeping requirements by data protection officers (DPOs). They should implement their activities by appointment that is mandatory only for the controllers and processors whose primary activity consists of some kind of processing operations. If they require regular and systematic monitoring of private data on a large scale or special categories of data. The Data protection officers should possess the following qualities:
- Must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices.
- May be a staff member or an external service provider.
- Contact details must be provided to the relevant DPA.
- Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge.
- Must report directly to the highest level of management.
- Must not carry out any other tasks that could results in a conflict of interest.
Brexit Effects and the GDPR Implementation
The policies specifically note that if UK- companies process data in the context of selling goods or services to citizens in EU countries they will need to implement the relevant GDPR regulations. This is irrespective as to whether will retain the law after the Brexit has taken place. After the initial exit period has ended and the activities are limited to the UK only then the position is not clearly defined it. Right now the Government has indicated that it will implement an alternative or equivalent legal mechanism. Legal experts note that that such legislation will likely follow the GDPR procedures. This is due to the support previously provided by the ICO and the UK government. Members of the UK Parliament stated that the regulations are an “effectively privacy standard“.
Consequences of the GDPR Implementation
The results of the GDPR implementation is the encouragement of citizen control of their own personal data. The regulations provide a mechanism which gives EU citizens the ability to take effective measures against possible private information abuse. The positive fact is the law prescriptions apply to both businesses and government institutions.
The other positive change is that the changes will help strengthen the creation of a true single EU digital market by simplifying the data protection mechanisms. Privacy protection is important to adoption and rise of e-commerce as it creates a sense of trust and prevents abuse by the active parties.
The mechanisms also have a focus on social networks and cloud service providers which are widely used by end users across the world. EU citizens will also be assured that their personal data cannot be transferred to countries outside of the EEA (European Economic Area) unless the same degree of data protection is guaranteed.
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: