The GDPR will come into force on 25 May 2018. Do you need to comply with it? Yes all businesses operating within Europe have to.
But first what is GDPR you may ask? Well there are numerous articles and blogs on the internet describing what GDPR is and how do you comply. In short GDPR (General Data Protection Regulation) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA).
The purpose of GDPR is to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
Why has GDPR come about? After many years of individuals signing up to websites with personal information we should as individuals know how those websites and companies handle our personal information. Data breaches are becoming a common occurrence within large online businesses like facebook and utility companies so the EU has brought in a regulation to protect individuals information, if companies don’t comply then a fine may be imposed.
“Data protection by design and by default”, means that business process that handle personal data must be designed and built with consideration of the principles and provide safeguards to protect data and use the highest-possible privacy settings by default, so that the data is not available publicly without explicit, informed consent, and cannot be used to identify a subject without additional information stored separately. No personal data may be processed unless it is done under a lawful basis specified by the regulation or unless the data controller or processor has received an unambiguous and individualised affirmation of consent from the data subject. The data subject has the right to revoke this consent at any time.
A processor of personal data must clearly disclose any data collection, declare the lawful basis and purpose for data processing, and state how long data is being retained and if it is being shared with any third parties or outside of the EU. Data subjects have the right to request a portable copy of the data collected by a processor in a common format, and the right to have their data erased under certain circumstances. Public authorities, and businesses whose core activities centre around regular or systematic processing of personal data, are required to employ a data protection officer (DPO), who is responsible for managing compliance with the GDPR. Businesses must report any data breaches within 72 hours if they have an adverse effect on user privacy.
Learn more about GDPR and what you need to do to be compliant https://eugdpr.org/