The General Data Protection Regulation (GDPR) was adopted on May 25, 2018, by the European Union to enhance control over the personal data of EU citizens. The adoption of GDPR repealed Directive 95/46/EC. GDPR establishes rules regarding the protection of individuals with regard to the processing of personal data and rules regarding the free movement of personal data. GDPR applies to the processing of personal data that is fully or partially automated, as well as to the non-automated processing of personal data that is part of a filing system or intended to be part of a filing system.
This regulation respects all fundamental rights and recognizes the freedoms and principles enshrined in the Charter, including respect for private and family life, home and communications, protection of personal data, freedom of thought, conscience, and religion, freedom of expression and information, freedom to conduct a business, right to an effective remedy and the right to cultural, religious and linguistic diversity.
To ensure consistent and high-level protection of individuals and to remove obstacles to the flow of personal data within the Union, the level of protection of the rights and freedoms of individuals in relation to the processing of such data must be the same in all Member States. Throughout the Union, a consistent and homogeneous application of rules for the protection of fundamental rights and freedoms of individuals in relation to the processing of personal data must be ensured. Regarding the processing of personal data for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Member States should be allowed to maintain or introduce national provisions to further specify the application of the rules of this regulation.
Effective protection of personal data across the Union requires strengthening and specifying the rights of the individuals to whom the data relates, as well as the obligations of those processing and determining the processing of personal data.
These rights include:
- Right to information
- Right to rectification
- Right to erasure (“right to be forgotten”)
- Right to restriction of processing
- Obligation to notify regarding rectification or erasure of personal data or restriction of processing
- Right to data portability
- Right to object and automated individual decision-making In case of a violation of individuals’ rights, GDPR stipulates penalties of €20,000,000 or 4% of the total annual revenue, whichever is higher.
If you process the personal data of EU citizens and are unable to provide all the rights to the individuals whose data you process, it is high time to align your business processes with the requirements of GDPR. This means developing and adopting internal procedures and rules to demonstrate compliance and educating employees about the meaning and requirements of GDPR.
Some benefits of implementing GDPR include:
- Ensuring the organization can demonstrate compliance with GDPR requirements
- Understanding, documenting, and mapping personal data collected, processed, and held by the organization
- Implementing appropriate use of Data Protection Impact Assessment (DPIA) within the organization
- Continuously understanding and assessing the risk of non-compliance with personal data protection rules
- Making all necessary changes to existing policies, processes, procedures, records, contracts, and other documented information to align with GDPR requirements
- Increasing customer/client and other stakeholders confidence that their personal data is protected
- Reducing the risk of personal data breaches in the handling of personal data.