What is GDPR?
Short name for General Data Protection Regulation , the European Union’s new addition to data protection laws which took effect last May 25, 2018. With this, there will be only one set of data protection rules for all companies operating in the EU, wherever they are based. The GDPR basically unifies the whole of European Union data protection laws; instead of each country having their own data protection laws, now the entire EU is governed by a single regulation. Thus, a company operating in different countries no longer needs to comply with multiple — often differing — regulations Instead, they only need to conform to the GDPR in order to offer their services anywhere in the EU.
What does GDPR provide?
With GDPR , it is said that there will be stronger rules on data protection where 1) people have more control over their personal data, and 2) businesses benefit from a level playing field.
Personal data refers to any information that relates to an identified or identifiable, living individual This can include:
- address and phone number
- health records
- income and banking information
- cultural preferences
- … and more
According to the GDPR, actions such as collecting, using and deleting personal data all fall within the definition of processing personal data. Do you monitor your premises via CCTV? Consult a database containing personal data for business purposes? Send promotional emails? Delete (digital) employee files or shred documents? Or post a photo of a person on your website or social media channels? If you answered ‘yes’ to any of these, then your company is certainly processing personal data
Not only does the GDPR give citizens more control over how their personal data is used, it also significantly streamlines the regulatory environment for businesses. This is applicable to all businesses and organisations (eg hospitals, public administrations, etc). It applies to any business that processes personal data by automated or manual processing (provided the data is organised according to criteria). Even if your business only processes data on behalf of other companies, you still need to abide by the rules. Take note, the GDPR is also technology neutral, meaning it protects personal data regardless of the technology used or how the personal data is stored. Regardless of whether your business processes and stores personal data using a complex IT system or via paper-based files, you will be governed by the GDPR.
How can businesses comply?
The GDPR places direct data processing obligations on companies at an EU-wide level. According to the GDPR, a company can only process personal data under certain conditions For instance, the processing should be fair and transparent, for a specified and legitimate purpose and limited to the data necessary to fulfil this purpose It must also be based on one of the following legal grounds
- The consent of the individual concerned
- A contractual obligation between you and the individual
- To satisfy a legal obligation
- To protect the vital interests of the individual
- To carry out a task that is in the public interest
- For your company’s legitimate interests, but only after having checked that the fundamental rights and freedoms of the individual whose data you are processing are not seriously impacted If the person’s rights override your interests, then you cannot process the data
The rules ensure that the individual understands what he or she is consenting to; meaning the consent should be freely given, specific, informed and unambiguous by way of a request presented in clear and plain language. Furthermore, consent should be given by an affirmative act, such as checking a box online or signing a form. And furthermore, you must give them the opportunity to withdraw their consent.
Why bother, we are not from EU!
While this is an EU regulation, the GDPR will apply to any site that collects data from EU citizens. This means that if you’re running a website with registration enabled, and some of your users reside in the EU, the GDPR technically applies to you. Since non-EU businesses also need to comply with the GDPR, there is a corresponding penalty and you could get fined for breaching its rules, no matter where you’re based.
For more information on this regulation, visit the official page – https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en#background
The below infographic might also help you. Source: https://ec.europa.eu/justice/smedataprotect/index_en.htm
For WordPress designers, here’s a site that works on how to comply with the GDPR – https://www.gdprwp.com/