EU to implement General Data Protection Regulation in May2018-04-23

Organization: Department of International Cooperation       
Source: iThome, Chinatimes, EUGDPR.org

The EU's General Data Protection Regulation (GDPR), which was passed by the European Parliament in April 2016, is set to come into force this coming May 25, at which time organizations in non-compliance may face heavy fines.

The GDPR was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens' data privacy and freedoms, and to reshape the way organizations across the region approach data privacy.

The GDPR not only applies to organizations located within the EU but also to those outside the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the EU, regardless of the company's location.

Organizations can be fined up to 4 percent of their annual global turnover for violating the GDPR or EURO 20 million (US$ 24.68 million). This is the maximum fine that can be imposed for the most serious infringements, for instance, not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.

The scope of what constitutes personal data has been expanded under the GDPR. It includes information related to a natural person or "data subject" that can be used to directly or indirectly identify the person, namely anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, a computer IP address, and so on.

The conditions for consent of personal data have been enhanced. Companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form in clear and plain language, with the purpose for data processing attached to that consent. In addition, withdrawing consent must be as easy as giving it.

The GDPR also gives persons the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object, and the right not to be subject to a decision based solely on automated processing.

The regulations surrounding data breaches primarily relate to the notification policies of companies that have been breached. Data breaches that may pose a risk to individuals must be notified to data protection authorities within 72 hours and to affected individuals without undue delay. Companies face heavy fines for failing to do so.