Posted on

GDPR Latest 2022

What Is General Data Protection Regulation (GDPR)?

GDPR is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live and outside of the European Union (EU). Approved in 2016, the GDPR went into full effect two years later.

Its aim is to give consumers control over their own personal data by holding companies responsible for the way they handle and treat this information. The regulation applies regardless of where websites are based, which means it must be heeded by all sites that attract European visitors, even if they don’t specifically market goods or services to EU residents.

KEY TAKEAWAYS

The GDPR is a law that sets guidelines for the collection and processing of personal information from individuals.


1-The law was approved in 2016 but didn’t go into effect until May 2018.


2-The GDPR provides consumers with more control over how their personal data is handled and disseminated by companies.


3-Companies must inform consumers about what they do with consumer data and every time it is breached.


4-GDPR rules apply to any websites regardless of where they are based.

Understanding the General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR ) is a law that was approved by the European Union in April 2016 and went into effect on May 25, 2018.

It replaced an earlier law, the Data Protection Directive, and was set up to regulate the way companies process and use the personal data they collect from consumers online. It also has rules in the way that information is moved, whether that’s partly or entirely through automated means.

The law makes it difficult for companies to mislead consumers with confusing or vague language when they visit their websites. It also ensures:

1-Website visitors are notified of the data collected.

2-Visitors explicitly consent to that information-gathering by clicking on a button or some other action.

3-Sites notify visitors in a timely way if any of their personal data held by the site is ever breached

4-There is a mandated assessment of the site’s data security.

5-Whether a dedicated data protection officer (DPO) needs to be hired or an existing staffer can carry out this function.

These requirements may be more stringent than those required in the jurisdiction in which the site is located.

Information on how to contact the DPO and other relevant staffers must be accessible so that visitors may exercise their EU data rights, which also includes the ability to have their presence on the site erased, among other measures.
5
The site must also add staff and other resources to be capable of carrying out such requests.

FAST FACT

The requirement of an Agree button largely explains the ubiquitous presence of disclosures that sites collect cookies, which are small files that hold personal information such as site settings and preferences.

Special Considerations


As further protection for consumers, the GDPR also calls for any personally identifiable information (PII) that sites collect to be either anonymized (rendered anonymous) or pseudonymized with the consumer’s identity replaced with a pseudonym.

This allows firms to do more extensive data analysis, such as assessing the average debt ratios of their customers in a particular region—a calculation that might otherwise be beyond the original purposes of data collected for assessing creditworthiness for a loan.

The regulation applies to all 27 members of the EU and the European Economic Area (EEA), regardless of where websites and residents are based.

As such, it must be heeded by all sites that attract European visitors, even if they don’t specifically market goods or services to EU residents. So the regulation applies to the data of an EU citizen even if it is housed in the U.S. Similarly, a U.S. citizen who resides in the EU is covered whenever they visit sites based in the union.

IPMORTANT- The GDPR affects data beyond that collected from customers. Most notably, perhaps, the regulation applies to the human resources records of employees.

Criticism of the GDPR


The GDPR has attracted criticism in some quarters. Some say that the requirement to appoint DPOs, or simply to assess the need for them imposes an undue administrative burden on certain companies. Some complain that the guidelines are too vague on how best to deal with employee data.

In addition, data cannot be transferred to another country outside the EU, unless the receiving company guarantees the same degree of protection as the EU requires. This has led to complaints about costly disruption to business practices.

There’s a further concern that the costs associated with GDPR will increase over time, in part because of the escalating need to educate customers and employees alike about data protection threats and solutions. There’s also skepticism over how feasibly data protection agencies across the EU and beyond can align their enforcement and interpretation of the regulations, and so assure a level playing field as the GDPR goes into fuller effect.

How Do Companies Become Compliant Under the General Data Protection Regulation?


There are several ways for companies to become GDPR-compliant. Some of the key steps include auditing personal data and keeping a record of all the data they collect and process. Companies should also be sure to update privacy notices to all website visitors and fix any errors they find in their databases.

Who Is Covered Under the General Data Protection Regulation?


In theory, any individual who visits sites that are based in the European Union is protected. This includes anyone within the union itself and beyond its borders. The regulation also applies to a citizen of the EU whose data exists outside the union. And if you’re a citizen of another country who lives in the EU, your data is also protected under the law.

When Did the GDPR Come Into Effect?


The GDPR was approved in April 2016. But it took two years for the framework to be established. As such, the regulation went into full effect on May 25, 2018.

REQUIREMENTS OF GENERAL DATA PROTECTION REGULATION 2018

The GDPR itself contains 11 chapters and 91 articles. The following are some of the chapters and articles that have the greatest potential impact on security operations:

Articles 17 & 18 – Articles 17 and 18 of the GDPR give data subjects more control over personal data that is processed automatically. The result is that data subjects may transfer their personal data between service providers more easily (also called the “right to portability”), and they may direct a controller to erase their personal data under certain circumstances (also called the “right to erasure”).


Articles 23 & 30 – Articles 23 and 30 require companies to implement reasonable data protection measures to protect consumers’ personal data and privacy against loss or exposure.


Articles 31 & 32 – Data breach notifications play a large role in the GDPR text. Article 31 specifies requirements for single data breaches: controllers must notify Supervising Authorities (SA)s of a personal data breach within 72 hours of learning of the breach and must provide specific details of the breach such as the nature of it and the approximate number of data subjects affected.

Article 32 requires data controllers to notify data subjects as quickly as possible of breaches when the breaches place their rights and freedoms at high risk.


Articles 33 & 33a – Articles 33 and 33a require companies to perform Data Protection Impact Assessments to identify risks to consumer data and Data Protection Compliance Reviews to ensure those risks are addressed.


Article 35 – Article 35 requires that certain companies appoint data protection officers. Specifically, any company that processes data revealing a subject’s genetic data, health, racial or ethnic origin, religious beliefs, etc. must designate a data protection officer; these officers serve to advise companies about compliance with the regulation and act as a point of contact with SAs.

Some companies may be subjected to this aspect of the GDPR simply because they collect personal information about their employees as part of human resources processes.


Articles 36 & 37 – Articles 36 and 37 outline the data protection officer position and its responsibilities in ensuring GDPR compliance as well as reporting to Supervisory Authorities and data subjects.


Article 45 – Article 45 extends data protection requirements to international companies that collect or process EU citizens’ personal data, subjecting them to the same requirements and penalties as EU-based companies.


Article 79 – Article 79 outlines the penalties for GDPR non-compliance, which can be up to 4% of the violating company’s global annual revenue depending on the nature of the violation.

GDPR ENFORCEMENT AND PENALTIES FOR NON-COMPLIANCE


In comparison to the former Data Protection Directive, the GDPR has increased penalties for non-compliance. SAs have more authority than in the previous legislation because the GDPR sets a standard across the EU for all companies that handle EU citizens’ personal data.

SAs hold investigative and corrective powers and may issue warnings for non-compliance, perform audits to ensure compliance, require companies to make specified improvements by prescribed deadlines, order data to be erased, and block companies from transferring data to other countries. Data controllers and processors are subject to the SAs’ powers and penalties.

The GDPR also allows SAs to issue larger fines than the Data Protection Directive; fines are determined based on the circumstances of each case and the SA may choose whether to impose their corrective powers with or without fines. For companies that fail to comply with certain GDPR requirements, fines may be up to 2% or 4% of total global annual turnover or €10m or €20m, whichever is greater.

GDPR APPLIES TO ALL WHO REACH EUROPEAN CITIZENS


In addition to EU members, it is important to note that any company that markets goods or services to EU residents, regardless of its location, is subject to the regulation. By complying with GDPR requirements, businesses will avoid paying costly penalties while improving customer data protection and trust.

Now that this privacy regulation is active, websites that do not comply will be inaccessible in European states. Most notable among the list of sites temporarily blocked were the Chicago Tribune and LA Times. If your organization’s site collects any of the regulated data from European users — it is liable to comply to GDPR.

STEPS TO ENSURE GDPR COMPLIANCE

  1. Physically Read the GDPR

While there are sections which are difficult to decipher and feature more legal language, every person in a position to be affected by GDPR should attempt to read and understand this landmark legislation.

  1. Look to Other Organizations

Businesses all over the world are affected by GDPR, not just those in the European Union. If you, or those in your organization, still lack understanding about the needed steps to reach compliance — reach out to those who are compliant. Many businesses will likely share the steps taken to reach compliance.

  1. Pay Close Attention to Your Website

Cookies, opt-ins, data storage and more are things that can be easily setup on a website. Their compliance with GDPR is another matter entirely. While many tools used to collect and store contact data have allowed for compliance, it’s up to you to make sure you’re compliant.

  1. Pay Closer Attention to Your Data

All data in your organization must comply with GDPR if you have a presence (either digitally or physically) in the E.U. Properly map out how data enters, is stored and/or transferred and deleted. Knowing every route personal information can take is vital to preventing breaches and ensuring proper reporting in the event of data loss.

Read About IT ACT 2000 , INDIA

Buy From Amazon

By: Er. Nikhil PandeyCategories: IT Laws Worldwide

Leave a Reply

Your email address will not be published. Required fields are marked *