General Data Protection Regulation: EU moves to solid data protection
At the end of May 2018, the European Union’s General Data Protection Regulation will come into effect: are you ready for the new customer-oriented change?
The General Data Protection Regulation (GDPR) is the new document realized by the European Union to reinforce the protection of the customers when they are to share their data on the internet. Particular attention is given to those data revealing ethnic origin, political and religious views and other biometric data allowing to define univocally a certain person.
To give the control of the personal data back to the users, the GDPR introduces some operational and organizational changes:
Users are to be allowed to request a copy of the personal data they provided both actively (i.e. form filling in) and passively (i.e. data collected from the use of a particular service).
The copy to be provided back has to be in a format accessible and transmissible to other systems.
Data Protection Officer
This is a completely new entity, introduced by the GDPR. The Data Protection Officer (DPO) has to help, monitor and guide the respect of the Data Protection regulation.
Lead Supervisor Authority
The Lead Supervisor Authority is another new authority to be defined in case the controller/processor needs to move the collected data from a Country to another (“cross-border processing”). The GDPR defines “cross-border processing” as the:
- Processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
- Processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State. (General Data Protection Regulation final text - http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf)
In the IT Governance website there is a clear description: “a new one-stop shop for businesses means that firms will only have to deal with a single supervisory authority, not one for each of the EU’s 28 member States, making it simpler and cheaper for companies to do business in the EU” (It Governance, https://www.itgovernance.co.uk/data-protection-dpa-and-eu-data-protection-regulation)
Data breach notification
In case something goes wrong, controllers have to report any data breaches that can afflict the stored personal data within 72 hours from the moment they become aware of it.
The GDPR will introduce even other news, but there is still time to get ready for the “most important change in data privacy regulation in 20 years”, as stated in the GDPR official website (www.eugdpr.org). In the Internet of Everything world, Data Protection cannot be ignored anymore.