General Data Protection Regulation
The General Data Protection Regulation, or GDPR, is reform of data protection policy, created by the European Union (EU) in May 2018. This set of policies applies to all companies operating in the EU, whether they are based in the EU or not, and processing the data of individuals living in the EU. Personal data is defined as something that identifies a person. This includes, but is not limited to: name, address, IP address, browsing history, etc. The main aim of the GDPR is to “harmonise” data protection in Europe as well as protect individuals’ data privacy. The regulation took four years of preparation. Companies were given from May 2016 to May 25, 2018 to implement the new regulation and if companies failed to comply, they could face immense fines.
The GDPR has 99 articles that work to 1) protect individuals’ data in the EU, giving them control over their own personal data and 2) hold organizations accountable by mandating evidence and justification for why they are using that data.
The GDPR has a significant effect on not only countries in the EU, but also all other countries that manage and hold data of EU citizens.
Contents
History of Data Protection in the EU
GDPR was preceded by the Data Protection Directive, which was adopted in 1995. The directive addresses personal data in a broad sense, since it does not specify that personal data has to be automated in order to be regulated. The main three principles allowing data to be processed are the following: transparency, legitimate purpose, and proportionality.
Premise
Data Controller
A company that collects data from residents of the EU.
Data Processor
A company that processes data for data controllers, such as a cloud service provider.
Structure
Of the 99 articles in the GDPR, there are 11 chapters and 171 recitals. The 11 chapters go as follows: I – General provisions II – Principles III – Rights of the data subject IV – Controller and processor V – Transfers of personal data to third countries or international organisations VI – Independent supervisory authorities VII – Cooperation and consistency VIII – Remedies, liability and penalties IX – Provisions relating to specific processing situations X – Delegated acts and implementing acts XI – Final provisions
Content
Right to Access
Article 15 of the GDPR allows citizens of the EU to access their own data as well as discover information about how their personal information is being processed.
Right to Erasure
Article 17 is also known as the right to be forgotten, which provides individuals with the right to demand that their personal data be erased.
Right of Data Portability
Article 20 applies to data processors and ensures that data must be available in open structures and easily accessible by the user in question, allowing the user to retrieve their personal data and take a copy of it.
Opting-In
Cookies
While cookies only appear in the GDPR language briefly, the changes that have occurred on many websites, in order to ensure compliance, are very noticeable. Cookies that can identify an individual are considered personal data. In general, a lot can be determined by one’s cookies, such as preferences and activity. Therefore, individuals may now notice that they must consent to cookies being used. The main change that has occurred is that websites must be explicit and detailed in asking for consent, by explaining how the cookies will be used. There must also be an option to reject cookies. The GDPR is not an attempt to eliminate cookies, but rather enforce transparency and give users the right to know where their data is going as well as manage who can have their data. [1]
Article 83 and Fines
Data protection officers are given the power to fine companies in Article 83 of the GDPR. The monetary value of the fine is €20 million or 2% of the company’s worldwide revenue (whichever is larger). For larger infractions, the fine is €40 million or 4% of the company’s worldwide revenue.
