New laws were essential and designed to give citizens of the European Union (EU) full control over their personal data.
GDPR, the EU’s General Data Protection Regulation became law on 25th of May 2018, replacing the Data Protection Directive from 1995. The world has changed dramatically since 1995, due to an internet revolution and the advent of social media. New laws were essential and designed to give citizens of the European Union (EU) full control over their personal data. GDPR applies automatically to all EU member states and is applicable in the EEA too. Any worldwide business or organization that monitors the behavior of EU residents, offers free or paid goods, and uses their personal data, must comply. Global businesses face strict penalties for violations and can be fined up to 4% of annual global revenue or 20 million Euros for breaches. GDPR defines personal data as any information related to a person or that can be used to identify an individual. Data includes: name, photo, email address, bank details, social networking updates, location details, health information, or a computer IP address. It relates to the individual person irrespective of their private or public roles. Sensitive personal data including religious beliefs, racial or ethnic origin, sexual orientation or trade union membership, are subject to stricter requirements and extra protections. Companies in B2B markets, who have individuals interacting and sharing information with and about each other, also need to comply.
The Seven Principals of GDPR
- Lawfulness, fairness and transparency - personal data must be handled lawfully, fairly and in a transparent manner in relation to the individual.
- Purpose limitation - personal data must be collected for a specific, explicit and legitimate purpose.
- Data minimization – personal data being processed must be adequate, relevant and limited to what is necessary.
- Accuracy – Individuals have the right to request that data is erased or rectified if it’s inaccurate or incomplete.
- Storage limitation – personal data must be deleted when the purpose is fulfilled.
- Integrity and confidentiality (security) – personal data must be protected against unauthorized unlawful processing, accidental loss, destruction and damage.
- Accountability – companies must demonstrate accurate record keeping to be compliant.