What is new with GDPR?
- The regulation applies to any organization processing personal data, of a natural person who is in the European Union (EU), to offer a good or a service (even with no payment) or to monitor the behavior of such data subject, wherever this organization is.
- Protection applies as soon the information concerns an identified or identifiable natural person.
- Explicit consent has to be given for each data processing purpose.
- Right to be forgotten, to erasure.
- Right to data portability. The data subject can request the data concerning him or her in a structured, commonly used and machine-readable format for his/her own use or to transfer it to another entity.
- Right to object to a decision based on automated processing including profiling.
- Privacy by design: data should be protected by design and by default.
- Impact analysis should be carried out before processing to assess risks.
- The obligation to have a Data Protection Officer.
- Transfer of personal data to a third country is possible when the country is listed by the EU as presenting an equivalent level of guarantee or specific clauses have to be added to the contract. Consent on the transfer by the person is mandatory.
What is making it a game changer
- Single rule across the EU, no more fragmentation by country.
- Organizations must provide notification of a breach within 72 hours.
- The regulation applies to any organization processing personal data, of a natural person who is in the EU, to offer a good or a service (even with no payment) or to monitor the behavior of such data subject. This applies to organizations located within and outside of the EU.
- A record of processing activities shall be maintained.
- Penalties: Whichever is larger: Up to 20 M€ or 4% of the total worldwide annual turnover.
- The official text: http://eur-lex.europa.eu/legal-content/en/TXT/PDF/?uri=CELEX:32016R0679
- The GDPR homepage at EU: Reform of EU data protection rules
- The Wikipedia page: General Data Protection Regulation