What is the EU General Data Protection Regulation (GDPR)?
The GDPR is a new regulation created by the European Union. It has been four years in the making and was finally approved on April 14, 2016. It will replace its predecessor, the Data Protection Directive 95/46/EC, which was adopted in 1995. The GDPR aims to regulate the processing of personal data of individuals, hereafter referred to as “EU citizens,” residing in the European Economic Area (EEA), i.e., EU member states and Iceland, Liechtenstein, and Norway. The GDPR is designed to have a wider scope and includes other major changes that take into account the current cybersecurity landscape.
Visit the Trend Micro GDPR page for further details on the GDPR, guidance on how to comply with the regulation successfully, and state-of-the-art cybersecurity solutions.
In brief, the GDPR builds on the past directive. Some of the key changes are the following:
- Increased territorial scope: The GDPR applies to all companies processing the personal data of data subjects residing in the EU/EEA, regardless of the company’s location. To elaborate, the GDPR applies to the processing of personal data by controllers (companies) and processors (entities that processes the data for the companies) in the EU/EEA, whether or not the processing itself takes place in the EU/EEA. Non-EU/EEA-based businesses processing the data of EU citizens will also have to appoint a representative in the EU/EEA. The GDPR will also apply to the processing of personal data of data subjects in the EU/EEA by a controller or processor not established in the EU/EEA. In essence, all companies and organizations all over the world are affected as long as they process personal data of EU citizens.
- Encompassing penalties for regulation violation: Organizations and companies found to be in breach of GDPR will be fined according to the scope and type of their infringement. A supervisory authority will assess the violation (e.g., shortcoming, data breach) in order to determine what type of penalty will be imposed. It follows a tiered approach to fines.
- Clearer and concise consent: Organizations and companies will no longer be allowed to use long and illegible terms and conditions and complex forms to request consent from customers. Such forms must be given in an intelligible and easily accessible format, using clear and plain language. Consent must be explicitly given and customers must also be able to easily withdraw that consent.
- Breach notifications: Organizations and companies must notify supervisory authorities and their customers in the event of a data breach that is likely to place at risk the rights and freedoms of individuals. This notification, which needs to happen within 72 hours after the discovery of a breach, will be mandatory. This also applies to data processors that need to notify their customers.
- Access rights: Data subjects will be able to obtain confirmation from companies as to whether or not their personal data is being processed, where, and for what purpose. The company must also provide a copy of the customer’s personal data at their request, free of charge.
- Deletion rights: The ‘right to be forgotten’ allows the data subject to have the company erase his or her personal data. This right to data erasure is not absolute and can be claimed under certain conditions: withdrawal of consent; the data is no longer relevant to the original purposes of processing. This right is subject to public interest or national security concerns.
- Data portability: The data subject will now be able to receive and transmit in a common and machine-readable format any previously obtained personal data (that concerns him) to another company.
- Privacy by design and by default: Privacy by design is a common informal approach — It means that each new service or business process that makes use of personal data must take the protection of such data into consideration. Privacy by default simply means that the strictest privacy settings automatically apply once a customer acquires a new product or service. This means no manual change to the privacy settings should be required on the part of the user to select the strictest setting. The GDPR is making privacy by design a major provision and, as a consequence, the inclusion of data protection as a key design element becomes an integral objective of any system design, at the very onset.
- Data Protection Officers: The Data Protection Officer (DPO) will be an important GDPR cornerstone. In addition to supporting an organization’s compliance with the GDPR, the DPO will have the essential role of acting as an intermediary between the organization and supervisory authorities, data subjects, etc. Not every organization/company will need a DPO; there are certain criteria that determine whether a DPO is required or not.