Effective: May 25, 2018
Due to the overwhelming amount of data breaches across the nation and the world, the European Union has replaced the outdated Data Protection Directive 95/46/EC and developed regulations for companies doing business with individuals within the European Union. The General Data Protection Regulation (GDPR) applies to data controllers, processors, cloud service providers, or data subjects. Except for Law enforcement, public health organizations, and national security or government bodies, these subjects are now given strict guidelines to protect the privacy of EU citizens, and to provide control of said privacy to its residents.
About the GDPR
- This regulation applies to all exportation of personal data outside the EU to any foreign company and throughout the EU.
- There are penalties up to 4% for anyone who insecurely or without explicit consent processes or transfers any information about a person’s private, professional, or public life.
- A supervisory authority will be assigned to member states to enforce this regulation.
- Data protection measures must be taken during the development of products and services at a high level.
According to the regulation, lawful basis for processing requires that data may not be processed unless there is at least one lawful basis to do so:
- The data subject has given consent to the processing of personal data for one or more specific purposes.
- Processing is necessary for the performance of a contract to which the data subject is the party or to take steps at the request of the data subject before entering into a contract.
- Processing is necessary for compliance with a legal obligation to which the controller is subject.
- Processing is necessary to protect the vital interests of the data subject or of another natural person.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Processing is necessary for the legitimate interests pursued by the controller or by a third party unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular if the data subject is a child.
- Lawful and explicit consent is required, minors or those unable to make sound decisions will need consent from parents or lawful guardians.
- When data is transferred or processed, it should be pseudonymized, eg. Encryption, tokenization.
- Any data breaches must be reported to the supervisory authority within 72 hours after becoming aware unless the data is unintelligible to any person who is not authorized to access it.
- Individuals have rights to their own information as well as the right to have information related to them erased due to noncompliance by the data controller unless the controller has legitimate reasons to retain the data.
For more information
A full report of the privacy and security report from the RSA’s findings can be found here.
A public site with GDPR information