You might have heard that there are some companies and businesses out there that have been scrambling to meet the requirements for GDPR, or the General Data Protection Regulation. Of course, many people, whether they are from Europe or not, do not have any real idea what GDPR is and what it is going to mean for them if anything. It is always important to be as informed as possible, and the information that follows will help to give you a better overall picture of what GDPR is and how it is all going to work.
What Is GDPR?
GDPR is the new privacy law for data for the European Union. Primarily, this law will provide users with more control over how their data is gathered and used. It will also require that companies are only using safe methods when it comes to collecting, processing, and storing the data on the customers.
The overall goal of this change in the way personal data is handled, according to those who developed it for the EU, a way to change the way that the companies think about data. They want the companies to understand that privacy should be the default for data and not something that the users need to opt into.
Who Does the Change Affect?
While this is a law that is going into place in the EU, it affects any organization that has data on people who live or reside in the European Union. It does not matter where that entity or company is located.
This means that if you have a company in the United States or Canada, and you have any business with people from the EU where you take their data, it is still going to affect you.
Even if you have just a single customer in the EU, it will affect how you have to do business. Websites that track browsing histories in Europe will be affected, as well.
Most large companies have been taking steps to comply with the new requirements. You might remember that recently, there was a surge of large and small firms alike that were upgrading their privacy settings and making changes to their user agreements.
This was all to get prepared for the GDPR.
What Does This Mean for Data Collection?
Companies can still collect data from customers, but they cannot do so automatically. They need to have proof that there is a lawful basis for collecting data.
An example of a lawful basis would be a contract or some other legal obligation that would allow the company to collect and store the data.
It is also possible for companies to get a person’s consent to store and process their data. You might think that this is not much different from before the GDPR, but it is.
In the past, it was possible for companies to hide the consent within terms and conditions that people might not ever even read or realize that they’ve agreed to.
Now, the request for the storing and processing of personal data needs to be written in plain language that people are going to be able to understand.
Data can be collected and processed for other reasons, as well. For example, the police are still able to gather information about criminals. Additionally, data gathering can occur to help save someone’s life, such as someone who is in a hospital and who is not conscious.
The personal details can be gathered in those cases to ensure the safety of the patient. The companies that are gathering the data will find that they have to be more careful than ever when it comes to the security of the data they are collecting.
Also, they are not allowed to hold onto the data for any longer than is needed. Individuals will have more power and control when it comes to what can happen to their data. This means that they have the rights to ask for their data to be removed from your servers.
Of course, there are also some exceptions to this rule. For example, a law enforcement agency would not have to remove the personal data of a criminal from their servers.
One of the other substantial changes and one that is long overdue in the opinions of many people is that companies are now required to let the authorities know when there has been a data breach within 72 hours from the time that they discovered the breach.
This helps to reduce the amount of time for the customers to be made aware of the fact that someone may have accessed and stolen their data.
Companies are required to handle data correctly and safely, and this was something that many companies did not have to do in the past. If they do not take proper care of their data collection and protection needs, they could end up facing some severe fines because of it.
Many companies have chosen to hire data protection officers to help with the compliance and the follow through for the data protection.
Why the Massive Change?
The old rules had been in place since 1995, and the Internet and data collection has changed and evolved quite a bit in those intervening years. It was time that the legislation on data collection changed and was updated to reflect the real world as it stands today. Because of the massive number of data leaks and cyber attacks that take place – and are growing more and more common – having these new rules in place to protect people is a good move, even though it has caused some consternation among businesses.
What about companies that do not comply? If a company does not follow these regulations, they could face fines up to 4% of their annual global sales, up to a maximum of $23.5 million. No company wants to face those types of fines, and really, no company should want their customers to be at risk.