The General Data Protection Act (GDPR) became law in the European Union (EU) in May 25, 2018. The GDPR covers organizations with assets and employees in the EU, to companies who target and sell to individuals in the EU, and to data that is stored in the EU. The GDPR, provide individuals more control over their personal data by granting them the following rights. Individuals covered by the GDPR have the right to be informed regarding an organizationâ€™s collection and use of their information. The right to access your personal data and request rectification. The right to restrict processing of personal data. The right to data portability. The right to not be subject to automated decision-making. And the right to request that all information within an organizationâ€™s control be deleted.Â Â
The key terms in the GDPR include personal data, sensitive personal data, data subject, data controller, data processor, consent, data protection authority (DPA), and data protection officer (DPO). A data subject is the person whose data is being processed. The data controller is the individual or entity that determines the purposes and the means of processing personal data. The data processor is an individual or entity that processes personal data on behalf of the controller. The term consent is defined as a data subject freely given; informed indication of the data subjectâ€™s wishes to provide their personal data to organizations collecting their data.Â
Personal data is broadly defined as any data that relates to an identified or identifiable natural person. In other words, if the data can be used to identify a natural person directly or indirectly, it is considered personal data under the GDPR. Importantly, data that has been deidentified, encrypted, or pseudonymized remains personal data if it can be used to reidentify the natural person. Data is considered anonymized if the process used to anonymize the data is irreversible.
Under the GDPR, sensitive personal data is afforded more protection than personal data. Sensitive personal data includes, race or ethnic origin, political opinions, religious belief, genetic data, biometric data, health data and sexual orientation. The GDPR defines a data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. If and unauthorized individual gains access to personal data, a data breach has occurred.
Failure to obtain data subjectâ€™s consent before collecting, using and storing their data or failure to report a data breach may result in severe fines. Fines for violations of the GDPR can be as much as 4% of a companyâ€™s worldwide revenue. To avoid fines, personal data must be collected for specified, narrow and legitimate purposes. Thus, companies need to determine what personal data they need to collect and why before collecting personal data and protect that data once collected. The GDPR is enforced by the DPAs at a national level. The DPO is the primary point of contact for data protection issues within an organization that falls within the scope of the GDPR.
This article contains general legal information and does not contain legal advice. Appolo Compliance is not a law firm or a substitute for an attorney or law firm. For legal advice, please contact a lawyer.