The General Data Protection Regulation (GDPR) is the EU regulatory framework aimed at protecting data and privacy of people and businesses in the EU. It was passed on April 14, 2016, and came into force on May 25, 2018.
Requirement for explicit consent:
Companies have the requirement to obtain explicit consent when processing data from individuals after transparently informing them of their aims (processing, storage and other uses of the data). It is no longer sufficient simply to inform users, now they must actively consent.
Right of access:
All citizens have the right to receive confirmation from companies about whether they posses and process their personal data. If so, they may access this data and the organization is obliged to provide a copy and to explain the purpose of the data processing, the criteria and the period for which the data will be kept. The GDPR also establishes the right to correct any personal data.
Right to be forgotten:
This establishes the right of the user to have their data erased under certain circumstances: where the data is no longer required for the purpose for which it was collected, the consent has been revoked, if the data was collected in relation to a time limited offer of services or if the data was obtained illegally, etc.
Right of portability:
Users have the right to request that the organization holding their personal data transfer or provide a copy of the data to a third party.
Responsibilities of the organization:
In general, the responsibilities of businesses and organizations have increased. The new regulation obliges them to implement systems for monitoring data processing as well as documenting data collection, storage and use procedures.
Failure to comply with the GDPR can incur sanctions on four levels:
- A warning
- A caution
- Suspension of the right to process data
In the last case, there are two levels: the first level allows for a fine of up to €10 million or up to 2% of annual revenue (whichever is higher); and at level 2, a fine of €20 million or 4% of annual turnover. Not to mention any consequent lawsuits for damages.
What it means for citizens
The right to be forgotten.
Any user has the right to contact any company and ask for their personal data to be erased. The company then has 30 days to erase the data of this user from its systems.
Less marketing and advertising material.
Sometimes, simply accepting the terms of a service agreement has been taken as consent to receiving advertising. Consent has been considered implicit by most companies. The GDPR obliges companies to obtain the explicit and informed consent of consumers before their data is used for the purposes of advertising, etc.
Protection of minors.
Teenagers and young adults should receive proper training on how to safely use social networks, but the GDPR also reinforces their protection by allowing potentially embarrassing messages to be deleted. In countries such as the UK, young people also have additional protection: since 2018, users of Facebook, Twitter and Instagram can delete all posts published before they were 18 years old..