What is GDPR?
The General Data Protection Regulation (GDPR) is a European Union Regulation (Regulation (EU) 2016/679) concerned with the protection and free movement of personal data and the rights of individuals, including children. It replaces the EU Data Protection Directive (95/46/EC) from 1995. As a regulation, the GDPR is a binding legislative act, unlike a directive, which sets out a goal for EU member states to achieve.
When does the regulation enter into force?
After four years of preparation and debate the GDPR was approved by the EU Parliament on the 14th of April 2016 and entered into force on the 25th of May 2016. The enforcement date will be the 25th of May 2018 – at which time those organizations in non-compliance will face heavy fines.
What is the difference between a regulation and a directive?
A regulation is a binding legislative act. It must be applied in its entirety across the EU, while a directive is a legislative act that sets out a goal that all EU countries must achieve. With a directive, it is up to the individual countries to decide how. It is important to note that the GDPR is a regulation, in contrast to the previous legislation, which is a directive.
Who does the GDPR affect?
The GDPR not only applies to organizations located within the EU but also to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
What is the difference between a data processor and data controller?
As EU Data Privacy Directive, the GDPR includes the concepts of a data controller and a data processor. A data controller is an entity that determines the purposes, conditions and means of the processing of personal data, while a data processor is an entity that processes personal data on behalf of the controller.
What constitutes personal data?
Personal data is any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. Personal data can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, a device IP address or a mobile device ID.
What are the requirements with respect to consent?
The conditions for consent have been strengthened. The request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent, meaning it must be unambiguous. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must also be as easy to withdraw consent as it is to give it.
What are the requirements with respect to data breaches?
Data breaches which may pose a risk to individuals must be notified to the Data Protection Authority (DPA) within 72 hours and to affected individuals without undue delay.
What about the Data Subjects under the age of 16?
Parental consent will be required to process the personal data of children under the age of 16 for online services; member states may legislate for a lower age of consent but this will not be below the age of 13.
What is the impact to companies in US/India?
GDPR applies to any US/Indian company that collects personal data from EU citizens and transfers it out of the EU. An important note for US companies that use the Privacy Shield Framework is that Privacy Shield only addresses the data transfer requirement. A US company, like any companies in the EU must comply with all the requirements of GDPR.