Effective beginning May 25, 2018, the General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive. This is the first crucial and much needed change to EU data privacy laws since 1995, when just 0.4% of the world was connected to the internet, whereas now almost 50% of the world is connected. In this digital revolution, the old policies are not enough to keep the security of individuals safe. GDPR outlines the standards for protecting the rights of personal data belonging to all people in the EU. Organizations will now follow the guidelines to handle and safeguard EU citizens’ personal data in a more efficient manner. There are five key aspects of GDPR requirements.
- All data is to be reported immediately and no later than seventy-two hours after the breach is found
- The definition of personal data is now extended to the location, IP address, medical data, and genetic information
- Organizations are required to perform Privacy Impact Assessments (PIAs), to assure personal information is protected.
- Organizations are required to perform Data Protection Impact Assessments, to identify risks to consumer data and are required to perform Data Protection Compliance Reviews to assure those risks are addressed
- Data processing and data controllers will have the responsibility of protecting person information
- All organization in the energy, transportation banking, healthcare sectors, and providers of critical digital services like cloud computing will be expected to take “appropriate security measures” in the state of malware detection, response, and reporting.
As well as the key aspects stated above, GDPR will also require all organizations to obtain consent of subjects for data processing, anonymize all collected data, handle all data transfers safely across borders, and require certain organizations to hire data protection officers who oversee GDPR compliance.
Individuals will have more control of their personal data and will have the ability to transfer their data between providers more easily, called right to portability. All members of the EU and all international organizations which distribute goods and services to EU citizens will be required to follow these regulations. If they do not comply, severe penalties and fines will be served, article 79 of the GDPR states that penalties can be up to 4% of the company’s global annual revenue.
Implementing and complying to the GDPR guidelines will encourage organizations to avoid penalties, while increasing customer data protection and trust. Organizations all over are going through a major transitional period in order to prepare and implement the new regulations required by the GDPR by May 2018.