Our world is changing. People and businesses create, store and share huge amounts of information every day, and every day that amount grows bigger – as does the risk of that data being misused. Protecting personal data is the basis of the General Data Protection Regulation (GDPR) that will go into effect 25 May 2018 across the European Union (EU). We’ve listed the most salient points here to help you understand what it means for your business so you can prepare for the new operating realities to come.
What is the GDPR exactly?
The GDPR is a new EU law on data protection and privacy for everyone within the EU. At its core, the purpose of GDPR is to give European citizens control over how their personal data is processed and used. This will be accomplished by providing new rights for citizens to access the information companies have about them. That means that organisations, even ones outside of the EU but that do business with EU citizens, will have to adapt to the regulations by adjusting their practices. It’s goals include the following:
- Protect EU citizens personal data
- Give control to data subjects over their processed data
- Unify the duties and responsibilities of “Controllers”
- Simplify the means of data collection and processing
What are some of these new rights?
Under GDPR, EU citizens will have the right to the following:
- Get access to their personal data when requested within a month
- Get faulty information corrected
- Get their personal data deleted, if requested
- Object to having their personal data being used for automated profiling and decision making
- Demand to have their personal data transferred in a digital format
- Receive compensation if there has been a data breach
- In some situations, organizations must obtain consent to process data from individuals, clearly explaining that it is required and there must be an “opt-in” option.
How will my business be affected by GDPR?
Companies (and individuals) that are considered processors or controllers of data are subject to the new regulations. Depending on which of these your organisation falls under, GDPR sets obligations and limits to what you can do with the data and who is responsible for what. Both personal and sensitive data are covered by the GDPR, and any company that processes sensitive data must appoint a Data Protection Officer. There are 99 articles describing the rights of individuals and how organisations are obligated to comply. We urge you to read them thoroughly, but for now just know that the entirety of GDPR comes down to these six concepts:
- Be aware of what personal data you have and what you intend to do with it
- Responsibly manage the data you have in an organized way
- Be transparent towards customers about what personal data you collect and how you use it
- Appoint someone to be responsible for it
- Protect sensitive information via encryption
- Create a work culture that is aware of security risks and fully prepared to respond
What’s the difference between a controller and a processor and why is it important?
A data controller controls the “why” and “how” the data is to be used. Sometimes the organisation controlling the data actually processes it, but if the data controller subcontracts an organisation to process the data further, this new organisation becomes a processor. Think of a bank as a controller, for example. It collects the information on its client to open an account, but most likely hires another organisation – the processor – to store, digitize and catalogue all that information. The data processor never controls the data and cannot change the purpose or use of the data; it can only do what it was contracted to do with it. This is important if there ever is a data breach to determine who was responsible for what. Understanding one’s role in this new reality, either as controller or processor, is vital.
What’s the difference between personal and sensitive data?
Personal data is defined as a piece of information that can be used to identify someone, such as a name, photo, phone number, etc. Sensitive personal data includes information about religious views, sexual orientation, medical information, etc.
What is the penalty for not complying with GDPR, or for having a data breach?
This is the teeth of the regulation, and it can bite. Failure to comply with the new regulations will result in stiff penalties. If there is a data breach, those responsible have 72 hours to disclose this information to the authorities and tell those affected “without undue delay”. The maximum fine for failing to comply is €20,000,000 or 4% of annual global turnover, whichever is greater.
EasyPark and the GDPR
At EasyPark, we understand that complying with GDPR is as much a priority for our clients as it is for us. And while we recommend that you familiarise yourself with the new regulations as much as possible before they go into effect, we have done our best to develop a framework that will ensure our partnership is compliant.
EasyPark is committed to protecting personal data and maintaining transparency about customer data and how we use it. We welcome the GDPR as a comprehensive law governing personal data processing. As an organization that is active in multiple countries in the EU, the GDPR offers us a standard set of principles that regulate data processing. If you have any questions about how EasyPark has adapted its practices in preparation for GDPR enforcement, click below: