Tag Archive for: GDPR Compliance

On May 25, Europe’s new set of Internet privacy rules, the General Data Protection Regulation (GDPR), will go into effect – reshaping the way our online world works.

From that date, if your personal data is being used by any company in the European Union, then you have rights that didn’t exist before. This has a global impact because so many internet companies have employees or users somewhere in Europe.

GDPR does have good intentions, however, some of the law itself really breaks the internet.

Jason Bier, Engine Media Group

Data is a billion-dollar industry and the new law applies to all global Internet companies processing user data in the EU. They include everything from credit card details to photos and even biometric data.

This is in response to protect internet users in light of the Cambridge Analytica scandal involving their illegal harvesting of data to craft ads supporting Donald Trump’s election campaign and the Brexit campaign.

Under the new rules, companies must clearly ask for consumer’s consent to harvest data, so they have to actively “opt-in” and be informed how their data is being used and for what purpose.

Those in breach of GDPR can be fined up to four percent of annual global turnover. And users who no longer want their personal data processed have the right to be forgotten and have their data deleted.

Potential pros and cons of GDPR

Jason Bier of Engine Media Group believes that “GDPR does have good intentions, however, some of the law itself really breaks the internet.”

“There’s a lot of confusion in how … personal data will be interpreted by the data protection authorities in each member state,” says Bier.

“There has been the addition of an IP address, which is considered personal data, that if it’s processed before consent is given by the user that would be a violation of the GDPR. And as we all know the IP address is an essential building block of the Internet. Every communication that’s sent between a device and the webpage exchanges that simple data.”

“So it’s really a question of, what is consumer data, what is personal data? And that definition has been broadened dramatically.”

Bier thinks Google and Facebook will be empowered by GDPR, because “they’re very familiar to people, their services are widely used … so they’re going to get opt-in consent. That’s really the issue here. Small businesses can’t get opt-in consent because they don’t collect personally identifiable information like Google and Facebook do … They’re going to collect more, not less, data on individuals and associate that to personally identifiable information.”

Diego Naranjo, a senior policy adviser at European Digital Rights, doesn’t agree with Bier that the new privacy rules will benefit big companies like Google or Facebook.

“The new regulation brings a lot of strength and mechanisms, it brings potential big sanctions, so I don’t think they will be able to directly benefit from it. If they follow the rules, they will be able to do their business as anybody else. Of course, they’re big, so they’ll be able to adapt quickly but I’m not sure this will reinforce these two companies – but rather the opposite,” says Naranjo.

He admits that not enough has really been done to educate and inform people about GDPR and its implications.

“We’ve been telling the European Commission that such a change needs a proper campaign to tell people how their rights are going to be reinforced. We’ve seen a lot of misinformation by private companies who see their business model potentially affected by this regulation,” says Naranjo.

 

For information as to how Relocation Africa can help you with your Mobility, Immigration, Research, and Remuneration needs, email marketing@relocationafrica.com, or call us on +27 21 763 4240.

Source: Al Jazeera [1]. Image source: [1].

General Data Protection Regulation (GDPR) is a regulation, enforceable from 25 May 2018, that is intended to strengthen and unify data protection within the European Union. The GDPR aims to give control back to citizens and residents over their personal data, and to simplify the regulatory environment for international business by unifying the regulation within the EU.

When the regulation takes effect, it will replace the data protection directive (Directive 95/46/EC) of 1995. Unlike a directive, it does not require national governments to pass any enabling legislation, and is therefore directly binding and applicable.

The GDPR extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonization of the data protection regulations throughout the EU, making it easier for non-European companies to comply with these regulations. However, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover.

Important terms to consider before reading about the GDPR include:

  • Data Subject: An entity whose data is in question.
  • Personal Data: Any information related to a Data Subject, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
  • Data Controller: An entity that determines the purposes, conditions, and means of the processing of personal data.
  • Data Processor: An entity which processes personal data on behalf of the Data Controller.

The new regulation contains the following key changes:

  • Increased Territorial Scope: GDPR applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.
  • Penalties: Organizations in breach of GDPR can be fined up to 4% of annual global turnover, or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements, e.g.not having sufficient customer consent to process data, or violating the core of Privacy by Design concepts.
  • Consent: Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.​
  • Breach Notification: Breach notification will become mandatory in all member states where a data breach is likely to result in a risk for the rights and freedoms of individuals. This must be done within 72 hours of first having become aware of the breach.
  • Right to Access: GDPR provides the right for data subjects to obtain, from the data controller, confirmation as to whether or not personal data concerning them is being processed, where, and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format.
  • Right to be Forgotten: Also known as Data Erasure. Data subjects have the right to instruct the data controller to erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. Conditions for erasure include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. This right requires controllers to compare the subjects’ rights to the public interest in the availability of the data, when considering such requests.
  • Data Portability: GDPR provides the right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly used and machine readable format’, and have the right to transmit that data to another controller.
  • Privacy by Design: Data protection must be included from the onset of designing systems, rather than as an addition. Controllers are to hold and process only the data absolutely necessary for the completion of its duties (data minimization), as well as limit the access to personal data to those needing to act out the processing.
  • Data Protection Officers (DPO): Currently, controllers are required to notify their data processing activities with local data processing authorities (DPAs). With GDPR, instead, there will be internal record keeping requirements, and DPO appointment will be mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale, or of special categories of data or data relating to criminal convictions and offences. The DPO:
    • Must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices.
    • May be a staff member or an external service provider.
    • Must have their contact details provided to the relevant DPA.
    • Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge.
    • Must report directly to the highest level of management.
    • Must not carry out any other tasks that could results in a conflict of interest.​

Flag of the European Union. The European Parliament’s GDPR becomes enforceable from 25 May 2018.

Parental consent will be required to process the personal data of children under the age of 16 for online services. Member states may legislate for a lower age of consent, but this will not be below the age of 13.

Topics such as data protection may seem overwhelming to some – even within a company’s IT department. But now is as good a time as any to research the very real consequences of ignoring this important aspect of running a business. The more knowledge one has about it, the easier it is to implement. And once a proper foundation has been established, occasional tweaks to adjust to new regulations, such as GDPR, are a much easier task.

With just over 100 days until GDPR becomes enforceable, businesses need to prioritize ensuring that they meet the regulation’s requirements, so that they don’t encounter any obstacles doing business with companies in the European Union later this year. Improving the quality of your company’s data protection, however, should not only be done when new regulations like GDPR come around, but rather whenever possible. This will ensure that your, and your clients’, information is properly stored, distributed, and protected. Not to mention doing so will make your clients feel at ease, and may even attract new business partners. That’s why Relocation Africa holds the safeguarding of its client and business partner data in the highest regard, and is constantly tracking changes in data-related legislation.

For more information about GDPR, and a countdown timer to its enforcement, visit the EU GDPR website here.

 

For information as to how Relocation Africa can help you with your Mobility, Immigration, Research, and Remuneration needs, email marketing@relocationafrica.com, or call us on +27 21 763 4240.

Sources: [1], [2]. Image sources: [1], [2].