What is GDPR? What is Data? The European Union General Data Protection Regulation (EU GDPR) entered into force on 25 May 2018. Individual countries within…
Written by yichengchen
What is GDPR? What is Data?
The European Union General Data Protection Regulation (EU GDPR) entered into force on 25 May 2018. Individual countries within the Europe Union were given the flexibility to amend the EU GDPR to suit each local needs. For instance, this flexibility led to the creation of the Data Protection Act (2018) in the United Kingdom.
In a nutshell, GDPR seeks to impose obligations on organisations which do business with individuals in the EU. This is regardless of where these businesses were incorporated, as long as during the course of doing business, they target or collect data related to people in the EU.
Personal data means any information which, directly or indirectly, could identify a living person. Name, phone number, and address are schoolbook examples of personal data. Interests, information about past purchases, health, and online behaviour is also considered personal data as it could identify a person.
Real Cases, Hefty Fines.
Generally, penalties under GDPR can go up to either 4% of your business’ total annual revenue, or €20 million, whichever is higher. Below are a couple of notable case studies:
What should businesses do?
Business should consider having a dedicated data protection officer (“DPO”). In some countries, such as in Singapore, it is mandatory to appoint a DPO.
The DPO can then look into how businesses are informing their customers and staff on how data is collected, processed and shared. The idea is to be as transparent as possible.
Any personal data breaches must be reported immediately to both the authorities and also to each affected individual.
Lastly, businesses should keep the 7 principles of GDPR close to their hearts:
(1) Lawfulness, fairness and transparency. Information collected fairly. Transparently inform your users about what information you collect, how you share.
(2) Purpose limitation. Businesses must collect and process personal data only for the purposes they explicitly specified to the data subjects concerned.
(3) Data minimisation. Organisations shouldn’t collect more personal information than they need from their users.
(4) Accuracy. Ensuring the data collected is accurate and taking steps to correct any inaccuracies.
(5) Storage limited. Controllers should not store and hold onto data for longer than necessary for the purposes for which data was collected.
(6) Integrity and Confidentiality (Security). Personal data must be protected against “unauthorised or unlawful processing,” as well as accidental loss, destruction or damage. In laments terms, this means that appropriate information and security protections, must be put in place to make sure information isn’t accessed by hackers or accidentally leaked as part of a data breach.
(7) Accountability. This means documenting how personal data is handled and the steps taken to ensure only people who need to access some information are able to. Accountability can also include training staff in data protection measures and regularly evaluating and data handling processes.