Before we can start going deeper into data protection law and learning how to make your organization compliant, we must be sure that we fully understand what GDPR is and what it requires from us. In the first article of our new series, the XCure team has created this list of the most important things you need to know about GDPR. Are you ready?
GDPR stands for General Data Protection Regulation. It was created by the European Union to harmonize data privacy laws across EU Member States and ensure that individuals are protected with regards to the processing of their personal data. It also lays down the rules to facilitate the free movement of personal data within the EU.
It came into force on May 25th, 2018, and it is important to note that, while GDPR indeed brings many innovations to the field of data protection and privacy, it is not the first regulation of these matters created by the European Union. On the contrary, the GDPR replaces the Data Protection Directive of 1995, updating the existing rules to a more digital and connected world.
The Regulation is applicable whenever personal data is processed, wholly or in part, by automated means. It is also applicable when the processing is done by non-automated means if the personal data processed is or intends to be part of a filling system. As you can see, GDPR has a very wide scope of application that encompasses almost all types of processing of personal data done in a systematic manner.
There are, however, four cases in which the processing of personal data is not regulated by the GDPR:
Under the GDPR, data processing is a very wide concept that includes any operation performed on personal data, either by automated or non-automated means. That includes actions such as the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, making available, alignment or combination, restriction, erasure, and destruction of personal data.
Organizations that need to comply with GDPR are divided into three main cases:
Organizations that don’t comply with GDPR not only will be considered less trustworthy by the public, but can also be subjected to substantial fines.
Less serious infringements can lead to a fine of up to €10 million, or 2% of the firm’s worldwide annual revenue from the previous year, whichever amount is higher. This type of infringement includes violations such as failing to report a data breach or notify it to data subjects.
More serious infringements, by their turn, can result in fines of up to €20 million, or 4% of the firm’s worldwide annual revenue from the previous year, whichever amount is higher. They include violations such as unauthorized transfers of data and ignoring requests of access from data subjects.
Under GDPR, most organizations will have to radically change the way they collect, store and use personal data. The Regulation requires that more transparency is given to this process, empowering individuals and protecting their privacy.
While becoming compliant demands a conscious effort from organizations, when done correctly it can be used to strengthen them and give a competitive advantage over those who don’t follow the Regulation.
The good news is that by reading this article you have already taken the first step into your compliance journey. In our next posts, we will explain in detail various aspects of GDPR and the measures you can take to implement them, so don’t forget to follow our LinkedIn page to keep up to date with our new data privacy law series.
Did you know that with XCure’s Privacy Management Tool you can easily map, document and maintain the requirements of data protection regulation? Try it now for free and make sure your organization is GDPR compliant!
Contact XCure team, if you want more information or presentation about the Privacy Management Tool.