New European Regulation GDPR 2016/679
A few words about the regulation
The GDPR was voted by the European Parliament on 16 April 2016.
From May 25, 2018, it will be implemented as a law of direct application by all the member states of the European Union. Since then, the previous regulatory framework for the protection of personal data has been abolished and many aspects have been amended.
The Regulation is of general application, binding in all its elements and directly applicable in all the Member States of the European Union. To a large extent, it concerns the security procedures and the risk management of a company-organization.
It is understandable that it was created to allow citizens to have more control over their personal data and to encourage businesses – organizations to move towards the strong protection of personal data they hold.
To see GDPR Rules click here
The Regulation regulates the rights of individuals
The new European Regulation GDPR 679/2016 replaces Directive 95/46 / EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
The Regulation regulates the rights of individuals to:
- their personal data,
- the processing of their personal data,
- the free and unhindered movement and transfer of their personal data within the borders of the European Union,
- procedures for the transfer of personal data outside the European Union.
Other critical points that affect the firm’s reputation and liquidity include:
- the obligation to inform the Authorities and customers within a certain period of time,
- the publication of personal data leakages,
- damages to the Data subjects that have suffered damage.
The concept of personal data
Personal data is any information related to an individual or a data subject that can be used for his or her direct or indirect identification. Personal data is the name, photo, email address, bank account details, social networking posts, medical information, or computer IP address.
Key steps you can take to align with the GDRP
- Identify where your personal data is in your business or organization.
- Create policies that clearly describe how and why your business collects and processes personal data.
- Set up a risk management program to protect your data.
- Compliance with the standards of the Regulation on transparency, accountability and record keeping. Performing data requests and maintaining the required documentation.
The requirements of the Regulation
The range of requirements for businesses and organizations that collect or process personal data is broad, with the six basic principles presented below:
- Transparency, objectivity and legitimacy in the handling and use of personal data.
- Restrict the processing of personal data for defined, explicit, and legitimate purposes.
- Collect and store the minimum volume of personal data required for a purpose.
- Ensure the accuracy of data, including the possibility of deleting and editing them.
- Limit the period of storage of personal data.
- Ensuring the security, integrity and confidentiality of personal data.
Businesses need to be aligned with the following
- Process legally, fairly and transparently the personal data of their customers
- Should only collect personal data for specified, explicit and legitimate purposes
- The treatment must be limited to cases where it is necessary
- The treatment must be carried out accurately
- The processing must not extend beyond the necessary time frame
- The treatment is legitimate when appropriate safeguards to ensure the protection of personal Data
Key changes introduced by GDPR
The GDPR imposes a series of new obligations on controllers, stemming from the basic principles, and in particular the enhanced transparency principle in the way data collection, processing and keeping, and the new principle of accountability, according to which the controller is responsible for and is able to demonstrate compliance with all the principles governing the processing of personal data. New rights are also introduced for data subjects such as the right to privacy, the right to data portability.
The sanctions provided
The sanctions provided by the new Regulation are extremely high and amount to up to EUR 20,000,000 or up to 4% of the total annual turnover of the previous financial year (whichever is the higher).
This is the maximum fine that can be imposed for the most serious offenses [e.g. failure to obtain the consent of the customer for data processing in a lawful manner, or violation of the privacy by design policy.
There is escalation to threatened fines.
For example, an enterprise may be threatened with a fine of 2% in cases of unlawful keeping of its records, late notification to the data protection supervisor and to the data subject if it detects a data breach, or when omits to carry out impact assessments.
Consequently, non-compliance with the new arrangements involves the risk of a fine being imposed by the supervisory authority which may indicate the economic disaster of the organization / company.
Violations of data liable to compromise data subjects shall be notified to the competent data protection authority within 72 hours. In addition, it is necessary to update the data subjects without undue delay
Bodies that need to be in harmony with GDPR
Αll public / private sector bodies / organisations that process personal data as part of their activity must comply with τhe GDPR.
Any company, organisation, government agency that collects, records, stores, discloses a transmission, associates, deletes, destroys information relating to an identified or identifiable natural person is obliged to apply the new regulation.