In 2017, The Economist stated that personal data has outpaced oil as the most valuable resource in the world—and it has only become more valuable since GDPR. The significant modification in the field of data protection brought by the new European legislation (GDPR – 25 May 2018), generates essential changes in work procedures of Romanian companies, regardless of the area of activity.
GDPR may seem like a burden but as companies rebuild trust with consumers, it will become a sustainable approach fostering both innovation and accountability.
What is GDPR and what does it stand for?
The General Data Protection Regulation (EU) 2016/679 („GDPR”) is a regulation in EU law on data protection and privacy for all individuals citizens of the European Union (EU) and the European Economic Area (EEA).
It’s been almost a year since the EU’s General Data Protection Regulation (GDPR) went into effect. What was the purpose? To help EU citizens control their personal data and how it’s collected, shared and used. But the sweeping nature of the GDPR means that it’s not just EU-based websites and technologies that fall under its remit, but any that might potentially be accessed by an EU citizen.
The GDPR’s roll-out represented a major change for tech companies, data brokers and marketers, who had previously had free rein over the data that they collect. They’d never before had to disclose what data they were storing, what they were using it for, or why they wanted it.
The 8 basic rights of GDPR
Under the GDPR, individuals have:
The right to access – this means that individuals have the right to request access to their personal data and to ask how their data is used by the company after it has been gathered. The company must provide a copy of the personal data, free of charge and in electronic format if requested.
The right to be forgotten – if consumers are no longer customers, or if they withdraw their consent from a company to use their personal data, then they have the right to have their data deleted.
The right to data portability – individuals have a right to transfer their data from one service provider to another. And it must happen in a commonly used and machine readable format.
The right to be informed – this covers any gathering of data by companies, and individuals must be informed before data is gathered. Consumers have to opt in for their data to be gathered, and consent must be freely given rather than implied.
The right to have information corrected – this ensures that individuals can have their data updated if it is out of date or incomplete or incorrect.
The right to restrict processing – individuals can request that their data is not used for processing. Their record can remain in place, but not be used.
The right to object – this includes the right of individuals to stop the processing of their data for direct marketing. There are no exemptions to this rule, and any processing must stop as soon as the request is received.
The right to be notified – if there has been a data breach which compromises an individual’s personal data, the individual has a right to be informed within 72 hours of first having become aware of the breach.
Examples of violations of the GDPR and the first penalties:
Facebook has been fined £500,000 by the Information Commissioner’s Office in the wake of the Cambridge Analytica scandal, after allowing third-party developers to access user information without sufficient consent.
Uber Company was fined GBP 385,000 for inappropriate security arrangements that allowed hackers to download a large amount of personal data about drivers and customers.
The business implications of GDPR
GDPR applies to all businesses and organizations established in the EU, regardless of whether the data processing takes place in the EU or not. Even non-EU established organizations will be subject to GDPR. If your business offers goods and/ or services to citizens in the EU, then it’s subject to GDPR.
All organizations and companies that work with personal data should appoint a data protection officer or data controller who is in charge of GDPR compliance.
There are tough penalties for those companies and organizations that don’t comply with GDPR fines of up to 4% of annual global revenue or 20 million Euros, whichever is greater.
Many people might think that the GDPR is just an IT issue, but that is far from the truth. It has broad-sweeping implications for the whole company, including the way companies handle marketing and sales activities.
Are you looking for a lawyer specialized in IT & Telecommunication issues?
We can provide specialist privacy service that ensures your business is protected and compliant under the GDPR. Also, we can show help you work out what is needed to comply with GDPR and then support you by providing a custom GDPR compliance program