Eu new privacy law
You're referring to the European Union's General Data Protection Regulation (GDPR), which came into effect on May 25, 2018. The GDPR is a comprehensive data protection law that aims to protect the personal data of individuals within the European Union (EU) and to harmonize data protection laws across the EU.
Here are some key aspects of the GDPR:
Key Principles:
- Transparency: Data controllers must be transparent about how they process personal data.
- Legality: Data processing must be lawful and fair.
- Purpose Limitation: Data must be collected for specific, explicit, and legitimate purposes.
- Data Minimization: Data must be adequate, relevant, and limited to what is necessary for the purpose.
- Accuracy: Data must be accurate and up-to-date.
- Storage Limitation: Data must be stored for no longer than necessary.
- Integrity and Confidentiality: Data must be protected against unauthorized access, alteration, disclosure, or destruction.
Rights of Individuals:
- Right to Access: Individuals have the right to access their personal data.
- Right to Rectification: Individuals have the right to rectify their personal data.
- Right to Erasure: Individuals have the right to erasure (also known as the "right to be forgotten").
- Right to Restriction of Processing: Individuals have the right to restrict the processing of their personal data.
- Right to Data Portability: Individuals have the right to receive their personal data in a structured, commonly used, and machine-readable format.
- Right to Object: Individuals have the right to object to the processing of their personal data.
Data Controllers and Processors:
- Data Controllers: Organizations that determine the purposes and means of processing personal data.
- Data Processors: Organizations that process personal data on behalf of data controllers.
Fines and Penalties:
- Administrative Fines: Up to €20 million or 4% of a company's global annual turnover, whichever is greater.
Impact on Businesses:
- Data Mapping: Businesses must conduct data mapping to identify and classify personal data.
- Data Protection by Design and Default: Businesses must implement data protection measures by design and default.
- Data Breach Notification: Businesses must notify data protection authorities and individuals of data breaches within 72 hours.
- Data Protection Officer: Businesses must appoint a data protection officer (DPO) if they process large amounts of personal data or engage in high-risk data processing activities.
The GDPR has significant implications for businesses that operate in the EU or process personal data of EU individuals. It's essential for businesses to understand the GDPR and implement measures to comply with the regulation.