Today is the day when the EU GDPR enters into force. Since the date the Regulations are applicable in all EU member states. We’d like to analyze the key changes into the Data Protection Regulations as well as the terms applied.
The key goal behind the updated GDPR is the protection of natural persons' data and their movement. These rules mean that businesses must have a valid reason to use a person’s data and be transparent with how data is used.
The GDPR key terms
- Material and Territorial scope are the personal data processed by automative means on the territory of the EU of belonging to the EU residents are subject to the current Regulations.
- Personal data includes any personal information belonging to a natural person (name, email, address, phone number, IP address, personal statements, etc.).
- Controllers and Processors. Data Controllers collect personal data and consider their purpose of use. Whereas Data Processor can only use the collected data one somebody's behalf without the right to collect them.
- Data Protection Officers are to appointed to all the authorities regarded as Data Controllers or Processors. The Officers are expected to have practiced data processing and have a legal background for occupying the related position. Data Protection Officers are granted exclusive right to check the companies and organizations' operations and processes related to personal data treatment.
Privacy by Design: Data Protection safeguards must be established into the product since the very first stages of its development. The constant assessment shall be held in order to estimate the privacy impact where appropriate so that the protecting data are kept safe. REcord keeping shall also be subject to high privacy and protection as well as comply with the Regulation. Another significant point here is the Risk-Based Approach: the organizations shall develop certain controls in order to support the privacy of the data.
The main requirement toward the Consent is that it shall be provided in a clear and plain language, therefore, all citizens have a clear understanding of what they agree to. It is extremely significant to provide an easy and clear procedure to withdraw the given consent.
Data Breach and Notification
Data Breach is "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed". Any changes or alterations introduced to the existing data are considered a breach as well its theft. Therefore, data controllers are to inform the appropriate authority without undue delay and, where feasible, not later than 72 hours after having become aware of it. Yet the responsibility differs whereas the controllers shall inform the authorities, while data processors shall inform the controllers solely.
The main changes to the Data Protection Regulations
- The right to data transfer from one service provider to another
- Consent requirements are stricter
- Obligation to establish a Data Protection Officer position
- The right to be forgotten
- Personal data of minors shall be obtaine upon consent of the parent or trustee
- Notification about the data breach within 72 hours
- Conduct of data protection impact assessments
- Preserving records of data processing activities