The GDPR or General Data Protection Regulation is a new European law to protect personal data and uphold the privacy of all individuals within the European Union. This new regulation went into effect on the 25th of May 2018.
The GDPR was designed to better protect personal data in an ever more digitalized world.
It aims to simplify and unify all the different privacy laws of each European member country, ultimately minimizing the collection of personally identifiable information (PII).
It's a huge win for the individual's right to privacy. However, it will also have a big impact on almost every company conducting business with European residents.
Every company that handles personal data of an individual within the European Union has to abide by these new regulations. This applies to both citizens and people of other nationalities that are currently residing inside the European Union. Personal data includes any information relating to an individual (not a business) who can be directly or indirectly be identified using this data, such as customer number, IP address, phone number, email address, name, ... Considering these broad definitions of personal data, almost every company will be affected.
There is also a special category of personal data, referred to as sensitive data, which carries additional conditions to process. What can be considered as sensitive data includes:
This is a major change over many of the previous privacy regulations. The GPPR carries severe penalties for businesses that don't comply and instead of using a fixed amount, it's revenue-based. The fine can be up to 4% of the annual worldwide turnover or € 20 million, whichever is higher. This also means that a subsidiary of any company can affect the bottom line of its parent company.
It is important to note that these are worst-case scenarios. The figures and fines will be levied according to the gravity and duration of the infringement. The efforts taken to implement GDPR measures and controls, by the company in question, may be taken into account by the supervisory authorities and can play a role in the decision of the penalty.
Individuals have the right to be informed about the collection and the use of their data. This includes the reason why it has been processed, who are the processors, where it has been saved and for how long.
Individuals have the right to access the data companies collect from them, free of charge. The company must respond to this request within 30 days. A reasonable charge can be asked if the request is unfounded or excessive.
An individual can rectify inaccurate personal data or complete the data if it is incomplete.
Individuals have the right to be forgotten and have their personal data erased. Data should only be kept by a controller for the purposes originally agreed to and only for the duration required for those purposes.
Individuals have the right to request the restriction or suppression of their personal data.
Individuals have the right to obtain a copy of their personal data in order to move it to another service.
Individuals have the right to object to the processing of their personal data. In this case, the controller must stop processing the user's data, unless the controller can demonstrate compelling and legitimate grounds for processing which override the rights of the data subject.
Article 22 of the GDPR lays out additional rules that apply to all automated decision making and profiling based on personal data.
The first step was identifying where we store personal data and how long we store it.
With the outcome of the first step, we have now created and will continue to maintain a record of all activities related to the processing of personal data. This record contains what we process, why we process the data, its lawful basis, who has access, and how long we retain it.
Another step towards Summa becoming GDPR compliant was the creation of internal procedures to handle requests for information, modification or erasure. A procedure to notify the supervisory authority in case of data breaches has been set up as well.
We have also implemented processing agreements with any company that may handle our personal data. (e.g. hosting providers)
Furthermore, we have decided to do a data privacy impact assessment (DPIA) whenever we create new processes for handling personal information. Although the GDPR is mainly about policy and procedures, we have also taken extra steps to further improve our data security measures and controls.
We at Summa, do not take these developments lightly and will continue to strive for compliance to keep our visitors’ data private and secure.