What is GDPR?
The general data protection regulation (GDPR) is a new EU regulation that will have to be followed from 25th of May 2018 onward.
What is its purpose?
There are a few good reasons for this regulation. This regulation will update the older directive from 1995 that has become highly outdated due to the developed use of the Internet. Another important aim is to unify the ways of handling the security and privacy of personal data. Before, EU members have had more leeway on how to interpret and enforce the old directive, now having less freedom, the GDPR will help people to understand their rights better. This way the GDPR enhances transparency regarding personal data handling. If a company or an organisation is not compliant with the new regulation, it can get sanctions up to 20 million Euros, or 4% of the annual turnover of the last financial year, whichever is higher.
Does this concern me?
As a company or an organisation, yes, if your company handles personal data of EU residents regardless of your location. The term “personal data” includes all information that you can use to identify an individual either directly or indirectly. The obvious ones are name, address, email, phone number. However personal data is now also seen, for example, in an IP address and information that website cookies collect.
- You can see, as an example, what we at Zervant have done to prepare for GDPR here.
As a client this new regulation gives you more rights on how your personal data is stored and processed. Companies and organisations will have to ask your consent on handling your data and inform you if the data is handled by a third party at any point. You can also always ask “to be forgotten”, which means erasing your personal data from a companies database.
- In Zervant we always ask for your data usage consent if you contact our customer support. By giving that consent, you allow Zervant employees to access your account. However, we only use the information for investigation purposes related to your Zervant account.
Companies need to be able to ensure the confidentiality and safety of personal information:
- By offering sufficient encryption of personal data.
- There have to be processes to test the effectiveness of security measures.
- The reporting of personal data breaches to customers is mandatory.
- Companies might need to name a DPO (data protection officer) that monitors compliance with the regulation. This is obligatory if the company operates in the public sector and is involved in sensitive processing or monitoring activities, if local laws require a DPO, if the organisation’s main business is to monitor people on a large scale (f.ex. online advertising) or if the organisation handles sensitive or criminal data.
- Privacy and data protection need to be build by design, not as an addition to the software or system.
A small summary:
- Personal data means everything that can be linked to an individual.
- Consent for data processing needs to be asked.
- Right to be forgotten, you can ask your data to be erased.
- Possible data protection officer and sufficient reporting/documentation. Please note that GDPR doesn’t require certificates.
- Reporting of data breaches is mandatory.
- Data protection needs to be built by design.
More information on our website: