The General Data Protection Regulation (“GDPR”) is a new European privacy regulation which will replace the current EU Data Protection Directive (“Directive 95/46/EC”). The GDPR aims to strengthen the security and protection of personal data in the EU and harmonize EU data protection law.
A regulation such as the GDPR is a binding act, which must be followed in its entirety throughout the EU. The GDPR is an attempt to strengthen, harmonize, and modernize EU data protection law and enhance individual rights and freedoms, consistent with the European understanding of privacy as a fundamental human right. The GDPR regulates, among other things, how individuals and organizations may obtain, use, store, and eliminate personal data. It will have a significant impact on businesses around the world.
The main purpose of GDPR is to give EU citizens greater control over how their personal data is collected, protected and used. While the legislation applies to EU companies, it also applies to any company that chooses to do business in the EU. That includes any online business that owns a website that is accessible by EU citizens if that website collects user data.
Since the definition of personal information includes online identifiers such as cookies, GDPR has implications for huge numbers of U.S businesses. GDPR applies to all companies that do business with persons based in EU member states.
To continue to do business in the EU, most companies will have to implement additional privacy protections and adopt end-to-end data protection strategies.
The EU classes personal data as “Any information relating to an identified or identifiable natural person,” which includes a wide range of information from names, addresses, telephone numbers and email addresses to bank information and credit card details, photos, posts on social media websites, medical information, and even an individuals IP address.
Even when controls have been implemented to keep data secure, it may still be necessary to overhaul systems to ensure sufficient protections are in place. Companies must be aware where data are stored and employees must be trained to ensure they are aware of their responsibilities with regards to the use of data.
Organizations will need to provide customers – and website visitors – with detailed information on data that are collected and how data will be used. Consent must be obtained before any data are collected and consent must be obtained from a parent or custodian of a minor.
There must be a legitimate and lawful reason for collecting data and limited to the minimum necessary information for the purpose for which data are collected. Data must be deleted when that purpose has been achieved.
Organizations also need to implement appropriate policies, procedures and technologies to ensure that the data of EU citizens can be permanently erased. GDPR includes the right to be forgotten – termed ‘Right to Erasure’.