A Brief History Of GDPR
The European Parliament has approved and adopted the General Data Protection Regulation (GDPR) in April 2016. The GDPR came into force on May 25, 2018 after a two-year transition period. The regulation affects any company that processes the data of any EU citizen and it applies whether or not that company is based in the EU itself. Therefore if your business is selling goods or services to EU citizens then you will need to comply with the GDPR.
How Did We Get Here?
The previous data protection rules across Europe were first created during the 1990s and had struggled to keep pace with the fast technological changes. Things have greatly advanced since DPD first came into force. For example the internet adoption rate has seen a major increase. Back in 1995 there were less than 45 million internet users, while today that number has grown to about 1.8 billion. Cybersecurity has become more of a concern for businesses of all sizes and types. According to a recent study performed by Online Trust Alliance the total number of incidents doubled in 2017. While according to a different study 43 percent of cyber-attacks target small business.
GDPR has been designed to reflect all these changes. And, because GDPR is a regulation it is a binding legislation backed by law.
Most businesses are wondering how real the public concern over privacy actually is? According to the RSA Data Privacy and Security Report, it is very real indeed and is growing with every new high-profile data breach. RSA has surveyed 7,500 consumers from France, Germany, Italy, the UK and the U.S., out of the total respondents 80 percent said lost banking and financial data are of major concern for them. In addition, 76 percent of consumers said lost security information such as passwords and identity information like passports or driving license are also a factor of concern.
Designed to protect the digital security of citizens within the EU, this policy limits how online businesses collect personal data about their consumers.
So there’s a big burden for small businesses to carry as the GDPR presents one of the most challenging overhauls that many small businesses have ever faced. Becoming GDPR compliant might seem like a time-consuming challenge. As a small business owner is quite difficult to take care of the legal aspects that the GDPR implies in order to make sure that your company complies with the new regulation. It is worth mentioning that the GDPR itself contains 11 chapters and 91 articles.
Overview of GDPR and the information lifecycle
GDPR legislation aims to create more consistent protection of consumer and personal data across EU nations. The regulations are designed to reflect the world we’re living in now, and brings laws and requirements – including those around personal data, privacy and consent of an individual, – across Europe up to speed for the internet-connected age.
It is all fundamentally about data and how it is used. The foundation of this approach is the information lifecycle. There are four main phases: collection, storage and security, usage, and disposal. Businesses should limit personal data collection, storage, and usage to what is relevant, and necessary for processing. GDPR’s ultimate goal is to strengthen personal data protection for EU citizens, whether they reside in the EU or not.
The types of data GDPR protects
Personal data: Any information relating to an identified or identifiable natural person is considered personal data according to GDPR; some examples are, name, address, date of birth, IP address and location data (e.g. GPS coordinates) etc.
Sensitive personal data: Under GDPR this category has even more stringent protection rules as it includes
- racial or ethnic origin;
- political opinion;
- religious or philosophical beliefs;
- trade union membership;
- genetic and biometric data;
- Health data or data concerning sex life or sexual orientation.
Failing to implement GDPR could have a major impact on your business; companies that breach their obligations can be fined as much as 4 percent of their annual world revenue or 20 million euros (whichever is greater).
Are Regulators Ready to Enforce GDPR Law?
Seventeen of 24 regulators who responded to a Reuters survey, said they either do not have the necessary funding or lack the power to enforce GDPR. “We’ve realized that our resources were insufficient to cope with the new missions given by the GDPR,” CNIL President Isabelle Falque-Pierrotin said.
One of the main reasons why they are not prepared to enforce GPDR is because many European Union countries do not have the proper laws in place. According to Reuters, lots of regulators lack the powers because the governments have not updated their laws to reflect GDPR requirements. The majority of the survey respondents noted the report, did say they would react when they get complaints and will investigate them based on merit while a small minority is going to proactively look into how companies comply and fine those that have violated the law.