New general data protection regulation gdpr
The General Data Protection Regulation (GDPR) is a European Union (EU) regulation that aims to protect the personal data of individuals within the EU. It was adopted in 2016 and came into effect on May 25, 2018. The GDPR replaces the Data Protection Directive 95/46/EC and is designed to harmonize data protection laws across the EU.
Key principles of the GDPR:
- Transparency: Data controllers must be transparent about how they process personal data.
- Consent: Individuals must give explicit consent for their personal data to be processed.
- Purpose limitation: Personal data can only be processed for specific, legitimate purposes.
- Data minimization: Only the minimum amount of personal data necessary for the purpose should be processed.
- Accuracy: Personal data must be accurate and up-to-date.
- Storage limitation: Personal data should not be stored for longer than necessary.
- Integrity and confidentiality: Personal data must be protected from unauthorized access, alteration, disclosure, or destruction.
- Accountability: Data controllers must be accountable for the processing of personal data.
Rights of individuals under the GDPR:
- Right to be informed: Individuals have the right to be informed about the processing of their personal data.
- Right of access: Individuals have the right to access their personal data.
- Right to rectification: Individuals have the right to rectify their personal data if it is inaccurate or incomplete.
- Right to erasure: Individuals have the right to erasure of their personal data (also known as the "right to be forgotten").
- Right to restriction of processing: Individuals have the right to restrict the processing of their personal data.
- Right to data portability: Individuals have the right to receive their personal data in a structured, commonly used, and machine-readable format.
- Right to object: Individuals have the right to object to the processing of their personal data.
Roles and responsibilities under the GDPR:
- Data controller: The entity that determines the purposes and means of processing personal data.
- Data processor: The entity that processes personal data on behalf of the data controller.
- Data protection officer (DPO): A designated individual responsible for ensuring compliance with the GDPR.
Penalties for non-compliance:
- Administrative fines: Up to €20 million or 4% of the company's global annual turnover, whichever is greater.
- Other penalties: Other penalties may include warnings, reprimands, or even criminal prosecution.
Key changes and updates:
- Breach notification: Data controllers must notify the relevant supervisory authority of a personal data breach within 72 hours.
- Data protection by design and default: Data controllers must implement data protection by design and default in their processing activities.
- Data protection impact assessment: Data controllers must conduct a data protection impact assessment (DPIA) when processing personal data that involves a high risk to individuals.
- Certification and labeling: Data controllers can obtain certification or labeling for their data processing activities.
Overall, the GDPR aims to strengthen data protection and provide individuals with more control over their personal data.