The General Data Protection Regulation (GDPR) is a detailed and a comprehensive set of rules and regulations that was created by the European Union in regards to data privacy rights for EU citizens. Organizations dealing with the personal data of EU citizens are required to comply with the new rules set forth in the GDPR.
As a replacement to the Data Protection Directive, the regulation aims to standardize data protection regulations across all the member states of the European Union with effect from May 2018. It is important to understand the new set of rules that this regulation may impose and equally important to understand that you may be affected, even if your organization does not have a physical presence in Europe!
The GDPR requires that an organization has complete knowledge of where all the data for any EU citizen is located and be able to remove or access it when required. Another change enlisted by the regulations of the GDPR, is the Right to Erasure or the Right to be Forgotten. The regulation allows and gives an individual the right to request for permanent erasure of his data. Under the regulation, the GDPR lays down instances in which a request may be denied. If the processing of certain data is required for public health purpose in view of public interest, requested erasure may be denied.
Apart from this, the Right to Data Portability is one of the new rights enforced by the EU, under the purview of the GDPR. The regulations of Data Portability allows data subjects the right to receive data that concerns them and also transfer it to another controller. Individuals are free to store the data for personal use.
Organizations must have procedures to ensure that the personal data of EU residents is secure, accessible, and can be identified upon request. This also calls for immediate appointment of Data Protection Officers (DPOs). DPOs need to be mandatorily appointed if the company is a public authority, body where data processing happens, or when large scale processing of personal data related to criminal convictions like race, religion, orientation happens in the organization. Data Protection Officers conduct an internal check and monitor data processing activities instead of handing it over to DPAs. The DPOs are specifically appointed to inform and educate the employees about the obligations of data protection and check if the organization is in compliance with the GDPR.
The regulation has also strengthened the need for consent. Data processing can and should be done with consent of the data subject, and the controller should be in a position to demonstrate the subject’s consent for processing of his data.
The changes that the GDPR has brought along, require companies and organizations to comply at all costs. The GDPR is certain to create changes in the way organizations have handled data and data processing so far. The GDPR is said to bring out massive changes in all forms and fields of data protection and eDiscovery.