The General Data Protection Regulation is a newly updated EU policy which replaced the Data Protection
Directive (DPD) with an intention to improvise the protection of the personal data. This policy applies to the entities within EU as
well as the non-EU businesses who are involved in marketing their products to EU.
As your trusted marketing solution partner, we help you on your GDPR compliance voyage. At Discover Media Groups Data, our entire organization works to ensure that we follow GDPR-compliant practices. At the same time, it is essential for us to help our customers and partners to make them understand the impact of this law on their businesses and also to develop a GDPR compliance process of their own.
Essential Details of GDPR and About the Preparation of DGM Data:
The European General Data Protection Regulation is an update of the Data Protection Directive 95/46/EC. This new policy came into enforcement on 25th May 2018. It is envisioned to harmonize data privacy laws across the European Union and hence protects the personal data of the EU citizens. GDPR encourages all the businesses to be transparent in the data processing activity. In the UK, the GDPR policy will replace the Data Protection Act.
The 1995 Directive for data protection and privacy lays a foundation for GDPR. The advancement of the technology in the 80s gave rise to the increased use of computers. This progression resulted in the changes in various activities such as data collection, storage, and processing. Hence to be more rigorous about data privacy, the European Data Protection Directive came into existence in 1995. This directive stated data protection principles which were used by the organizations for over two decades.
Principles of Data Protection Directive
Although the primary goal of these principles is to include the harmonization of data protection laws, it was still a directive. It led to a path for a more significant piece of legislation known as GDPR which became an enforceable law in all the member state. Also, the newly updated General Data Protection Regulation includes various provisions to strengthen the rights of data subjects. Besides, it adds harsher penalties for the violation of the law. Apart from that, one should note that this law is not applicable to legal entities and also a deceased person.
The newly updated GDPR policy applies not only to EU businesses but also to the non-EU firms who monitor or process the data of EU citizens. Also, to enhance the data privacy of an individual, the GDPR strengthens their right with many criteria’s. The individuals have all the right to know about the usage of their data, and also to rectify or delete them anytime. We will see those changes in the next section.
The newly updated General Data Protection Regulation came into existence with an intention to strengthen the previous directive. Although the critical principles of GDPR are similar to the 1995 EU Directive, it includes many changes in the policy. The notable ones that impact the businesses are listed below.
– Rights to Access
This right of an individual was found in the previous directive as well. But, GDPR enhances this right by adding a few more criteria. The data subjects have all the right to know the processing status of their data, the place of usage and its purposes. The period to process the access request is now 30 days. Also, the organization cannot charge for processing request unless it is expensive. Besides, the company can also refuse the access request. However, they must have the apparent reason and policies in hand to prove the refusal.
– Right to Be Forgotten
Data subjects have an exclusive right regarding their personal information. They can ask the controller to remove or delete their data anytime. Also known as Data Erasure, the Article 17 of GDPR specifies the conditions for this right. However, the data controller must remove the individual’s personal information when it is no longer relevant to the original purpose.
– Right to Portability
GDPR also introduces one more right for an individual regarding the data portability. According to this right, the data subject can demand the copy of their personal information which they have provided to the organization. Also, they have all the power to transmit the data to other controllers.
The new law made some changes to the condition of the approvals. That is, the permission must be explicit and distinguishable in the updated policy. Also, one must provide it in an easily accessible format with an understandable language. Hence, the organizations cannot consider the long form of terms and conditions as the request for the user’s consent.
– Severe Penalties
GDPR introduces severe penalties for the violation of laws. That is, it can include 4% of annual global revenue or €20 Million whichever is greater. Also, the level of penalty will vary based on the type of the infringement. The Article 83(4) and Article 83(5) of GDPR lists the criteria for different levels of penalty respectively. Besides, it will not only include fines. It may come in the form of warnings, reprimands or also suspensions of data processing permanently.
– Territorial Scope
According to the 1995 EU Data Protection Directive, the scope of the rules was applicable only within EU. But, the newly updated law includes all the entities (EU or non-EU) who market their products or services to the citizens of EU or the businesses who monitor the behavior of the individual’s in the EU.
– Privacy by Design
According to this change, the company must give importance to data protection beginning from the designing of the system. It should be a part of the organization, and not an addition.
The new law requires both the controllers and the processors to demonstrate their GDPR compliancy to their local supervisory authority. That is, the processes must be recorded, applied as well as reviewed regularly. Also, the employees must undergo proper training regarding the changes in the policy. Besides, they must be able to take technical and organizational measures to ensure their compliance with the GDPR.
– Breach Notification
Under the new system, the breach notification has become mandatory in all the member states. The data controllers must report the breach to the supervisory authority within 72 hours of learning it. Also, they must inform the data subjects who will be affected by this breach.
– Data Protection Officers
In the previous directive, the data controllers must inform about their processing activities with the local Data Protection Authorities (DPA). But, under GDPR, this method is not required. The organizations will appoint Data Protection Officers (DPO) if their fundamental operations include processing on a regular basis and systematic monitoring of data subjects widely. Also, they must nominate a DPO if they process the data related to some particular categories or criminal convictions and offenses.
Before the existence of GDPR, only data controller was responsible for any mishandling of user’s data. Whereas, in the new policy, both the data controller and the processor will be accountable for GDPR compliance. That is, the third party or other organizations who process the data on behalf of your organization will also abide by the GDPR policy and hold liable for its violations.
We Safeguard Your Personal Data
“Fulfilling data privacy and security commitments are important to us.”
Our Expertise in Data Privacy
With legal jargons sprinkled over the GDPR privacy law, we are here to help you with the essential definitions. Our glossary page aids you in understanding some of the frequently used terms in the GDPR.
– Article 29 Working Party
The Art.29 WP is an advisory body. It includes the representatives from the data protection authority of each EU member state, the European Commission, and the European Data Protection Supervisor.
– Data Breach
In the context of the GDPR policy, the data breach refers to various unlawful activities. It includes actions such as destruction, random access, misuse, etc. of an individual’s data.
– Data Controller
It refers to the person or the organization who controls the drive and also data processing operation.
– Data Erasure
Also known as the right to erase or to be forgotten, it is one of the fundamental rights of an individual. According to this right, the individual has full authority over their data, and they can also ask the controller to delete their data anytime.
– Data Processor
It refers to an organization or a company that helps a data controller by processing the data based on their instructions.
– Data Processing
In the GDPR lexicon, the term data processing refers to an operation performed on an individual’s personal information. It includes several acts such as data gathering, organizing, storing, structuring, updating, retrieving, using, erasing, and more.
– Data Protection Officer (DPO)
DPO is a data privacy expert who works independently and also responsible for ensuring that an entity is obeying the GDPR policy.
– Data Subject
This term indicates an existing individual whose personal information is being used by the organization.
– Information Commissioner’s Office (ICO)
It is the supervisory authority in the UK. Elizabeth Denham is the current information commissioner in the UK.
– Personal Data
In the GDPR context, the personal data stands for any information related to a person which directly or indirectly identifies him. It includes different identifiers such as a name, residential address, email address, identification card number, Internet Protocol (IP) address, and a few more.
Any form of automated processing of individual’s data proposed to evaluate specific parts such as personal preferences, analyze work performance, economic condition, geographic location, etc.
– Supervisory Authority
It refers to one or more public authority who is appointed by each member state to monitor the application of GDPR.
– Third Country
It includes the countries other than the European Union. That is, at the time that the GDPR became applicable, it listed few secure third countries. They are Andorra, Argentina, Canada (lists only commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, and the USA (only if the receiver belongs to the Privacy Shield).
– Third Party
It refers to the agency, legal person, or any public authority. In the GDPR lexicon, the third party will not include the data controller, processor, data subject and also the other person who is under the influence of the controller to process the personal information.