With the increasing number of data leaks and cyber-attacks, many consumers from the EU have faced and been victimized by several damaging cybercrimes. These people discovered that their data was being used by some unreliable organizations, both online and otherwise.
The continuous cybercrimes and the extent of the damage it has caused to many people have gained so much attention to the public. The voices of many victims of the attacks have not been ignored, especially after some recent investigations. It was brought to light that this leak may have been caused by the carelessness of several organizations handling the information.
The failure of many organizations to protect the personal information of its consumers can lead to grieving outcomes. Thanks to the relentless actions of the European Union, which made organizations unified in a goal to safely secure the data being collected by any means. General Data Protection Regulation has been issued to bring back the confidence of many, resulting in a much clearer understanding of data collection.
What is GDPR?
GDPR or what they also call the General Data Protection Regulation is simply a rule or regulation implemented by the European Union to safeguard the EU citizen’s personal data. It is a law to protect the data and privacy of the EU citizens, may it be in or outside the premises making it applicable even for international businesses.
This regulation has been approved officially back in April 2016 and has been rigorously ruled and implemented in the entire EU year 2018 of May. It does not matter if you are located outside their premises. So long as you control and manage data of their citizens, any company should comply with the regulation.
Complementary to the diverse ways in which businesses work nowadays, GDPR plays a vital role for both consumers and providers of services. As we live in the new norm digitally, consumers are given the right to be able to control the data provided in a more transparent way. It also sets such standards on how businesses handle and manage information.
Who should comply with GDPR?
Any businesses or organization that stores and processes data of EU residents, physically in or outside their premises, should comply. Online businesses and organizations aren’t excluded.
What does GDPR cover?
As GDPR is implemented to effectively and securely protect the data of EU citizens, there are several factors to put into consideration.
Consent (Chapter 2. Article 7)
Consent is the first and important factor to put into consideration. The clear approval of your consumer for you to process the data in which it is freely provided should be concise. It should be clearly stated that the data is used for a specified reason and can be easily removed or withdrawn depending on your customer’s request.
Notification of any breach (Chapter 4. Article 34)
If any data leaks or breaches have transpired, the customer and the data controller of the company should be timely notified. GDPR requires a 72-hour window for the notification to happen. If this has not been made, the company will be subjected to fines.
Right to data access (Chapter 3. Article 15)
If by any chance, the consumer has requested to access the data you have collected and processed, the complete information should be freely given to the customer. GDPR has clearly stated that consumers have their right to know what data you stored about them. It should be detailed, and each data should have an explanation of how it is used and the actions taken about the information.
Right to data deletion (Chapter 3. Article 17)
Also known as the right to be forgotten. The customer has the right to request the total deletion of their personal data stored, especially when the reason for the data use has already been completed.
Data portability (Chapter 3. Article 20)
The customer has the entire right to request their data from you. The only difference from the right to data access is that the consumer can use the same data you have provided to other companies or organizations. He or she also has the right to request the data to be sent to a different company freely.
Transparency (Chapter 3. Article 12)
If the organization or business has at least 250 employees, with a higher risk of data processing, GDPR will require the organization to detail a few matters. This includes the list of the activities being executed at the information, how the data is being processed, the reason for the processing, the type of data processed, who has access to it, and the type of security measure used to protect each data.
What happens if the organization failed to comply?
Failure to comply with the regulations implemented by GDPR can result in aggravating administrative fines. However, there will be a comprehensive scope to administer. The fines can range to relatively cheap to a much expensive fine depending on the damage the breach has resulted in.
Under Chapter 8. Article 83, GDPR has clearly specified how the fine goes. The amount of fine to be imposed depends on the following:
- Gravity and number of data exposed
- Is it intentional or caused by negligence?
- Preventive measures and actions taken
- Type of data that has been breached
- If the breach has been notified to the subject and controllers
- Has the company been previously certified?
- Is the organization open to cooperating?
If the breach has been caused by either intentional or negligent acts of the organization, the fine is measured to the gravest amount. The sum is up to 20 million euros or 4 percent of the annual global turnover, whichever is higher.
If the breach has been caused due to the failure of the controller, or if the company has failed to be certified, or if this has not been reported considerably subject to Article(s) 8, 11, 25 to 39, 41, 42 and 43, the fine is going to be 10 million euros or 2 percent of the annual global turnover, whichever is higher.
The regulation imposed by GDPR is straightforward and clear. Its goal is to ensure that the company or an organization uses and processes the data of their consumer legitimately. This is in order to prevent any breach or dealings of damaging results.
Complying to GDPR simply relates that the company has solely and responsibly acquired the data in the manner that securely safeguards the personal information of its consumer. It gives everyone the confidence to know and understand that they are in the right hands in the first place. Though GDPR’s fine is quite a bit massive, this just relates to accountability being enforced.
GDPR’s principle allows fairness, lawfulness, and data protection. It also exhibits that any organization is accountable to the personal data of its consumers for a much clearer view.