What is GDPR?
GDPR, or General Data Protection Regulation, is the new European regulation that will enter effect this May, after having been adopted in April of 2016.
This regulation was designed to harmonize data protection laws in Europe, with the purpose of protecting and providing greater power to each and every European citizen and resident.
GDPR will have a great impact on companies and organizations operating in the European landscape, as well as in the way they handle data: storage, processing, access, transfer, disclosure… It is important to highlight that GDPR does not only have implications for European companies, but rather for any foreign organization that operates in the Eurozone and processes data from EU residents.
The entry into force of the new regulation will imply the substitution of the current data Directive (95/46/CE) of 1995. It is worth mentioning that since GDPR is a regulation, and not a directive, it is directly binding and enforceable.
The values that the General Data Protection Regulation is based on are:
- Acknowledgement of the protection of personal data belonging to an individual, and control over the handling of that data as a fundamental right.
- Companies and organizations must guarantee security in all business processes and exchanges related to the handling of personal data.
What does the GDPR imply?
The new data protection regulation goes beyond the traditional “personal data” such as name, address, phone, passport number, etc. In this case, GDPR protects any information that may be used to uniquely identify an individual, such as, for example, cookies, online identifiers and the IP address.
Moreover, GDPR also offers protection to “sensitive personal data,” and forbids the handling of genetic, biometric and medical data, religious beliefs, sexual orientation, and ethnic or racial background.
As can be seen, the European Union has significantly broadened what we understand for personal data, with sights on a greater protection and safety for individuals.
Therefore, this new protection framework significantly impacts:
- Any organization that handles personal data or monitors the behavior of individuals living in the European Union.
- Any company incorporated in the EU, regardless of whether it handles data within or without the European realm.
- Any company that, even while not located or incorporated in the EU, handles the personal data of European citizens and residents, or offers services and goods to the European Union.
Penalties faced by companies and organizations in the event of a breach of the new regulation are much heavier than those of previous directives.
With GDPR, civil fines may reach 20 million euros or up to 4% of the global yearly turnover of the company in question. These astronomical amounts may lead many organizations to bankruptcy.
Keeping in mind that data-related violations are more common and increasing day by day, companies need to be fully aware of the magnitude of the problem – especially from an economic standpoint – that being in breach of GDPR would imply.
In light of this, it is vital for all organizations to be perfectly aware of what GDPR is, the new obligations they need to face, and any recommendations to quickly and easily get their systems ready.
Who does it apply to?
Those who need to abide by the new regulation are known as data “controllers” and “processors.”
The former determine how and why personal data processing is performed, while processors are in charge of processing personal data on behalf of a controller.
In order to better understand these concepts, we could say that a controller could be any company or organization, while the controller would be an IT company that performed the actual data processing.
The controller’s responsibility is key to guarantee that its processor strictly complies with the data protection law.
It is again worth mentioning that, even if controllers and processors are outside the European region, they will have to comply with the GDPR in relation to personal data of EU citizens and residents in order to avoid any data breach and the possible economic fines they could face.
Now that you know better what the GDPR is, what it supposes and to whom it applies, it’s important that your systems are adapted to the new regulation, taking into account the great economic repercussions that it would imply for your company, the non-compliance of the new law.
The best alternative to face it is with WSO2 Identity & Access Management. If you want to know all the benefits of this software for your company, contact us, our consultants are already waiting for you!