According to the EU GDPR Portal, the EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years.
It replaces the Data Protection Directive 95/46/EC that was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way companies across the region approach data privacy. It will take effect on 25 May 2018.
GDPR Key Changes
People will now be able to ask organizations at any time to update or correct their data if the information is not accurate.
Data Collection – Transparency
The GDPR was designed to ensure that there will be more transparency between the organisations who collect and control the data and the individuals whose personal data is being collected. Any company which wants to collect data via a web form must communicate clearly to that person what the data is going to be used for.
Purpose and Usage Limitation
Organizations can only use the data collected and stored by them for specified, explicit, and legitimate purposes.
This means they must use “appropriate technical and organizational security measures” to protect personal data against unauthorised processing and accidental loss, disclosure, access, destruction, or alteration.
Organizations may only hold on to personal data for as long as is necessary to fulfil the intended purpose of collection.
The organization needs to keep records to prove compliance and they’ll also need to ensure they have policies in place governing the collection and use of that data.
There are sanctions for contraventions which are up to €20m or 4% of an organisation’s annual global turnover.
Disclaimer: This blog post is not legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand the GDPR.