On May 25, the most significant change in technological arena took place by the inauguration of GDPR Data Protection Regulation 2018 in different EU countries. Although General Data Protection Regulation (GDPR) is implemented in EU, its effect is applicable throughout the world. The legislation is tight, and it focuses on individual data right extensively.
As a leading mobile app development firm, CoreiBytes were waiting for the implementation of GDPR too. As a customer-first company, CoreiBytes seeks to understand the significant GDPR changes in the technological arena.
Following are the ten significant changes unveiled by the new data protection directives.
-
Significate Increases in sanctions or penalties:
In case of any data breach or mishandling, the penalties are as follows:
- A maximum of 4% annual or Euro 20 billion.
- The sanctions can fine against any public authorities in the means of administrative fines.
- GDPR document has introduced various means of compensation of the victim’s “material or non-material damages.” Here non-material means physiological trauma.
-
Demand more transparency in data protection principals
- The previous data protection urges the organization to deal the data more lawfully and transparently, whereas GDPR requirements show that it demands a list of must-have
- GDPR introduced a detailed list of information for the organization to communicate with the individual users to comply, which includes some confronting question.
- GDPR introduced stricter accountability principle. Under GDPR, the data controller is made responsible for and must be able to demonstrate GDPR compliance with, the data protection principles.
-
No registration requires but an enhanced information details need to feel up
The GDPR removes the requirements to register the organization with their national data protection supervisory authority. However, it introduces a large information details to keep records of the data controller’s processing activities.
-
Consent:
Like the 1995 directives, GDPR also confirms the definition of consent as any freely given, specific, informed and unambiguous indication of the individual’s agreement to the processing of his/her data. However, it goes on to state that consent must be given by a statement or an explicit affirmative action. Coupled with an obligation under GDPR regulation that organizations must be able to prove that they obtained consent, this makes the burden of obtaining a valid consent more difficult.
The GDPR compliance checklist confirms some restrictions around organizations who might wish to rely on consent.
- Imbalanced relationship: Organizations cannot require individuals to give consent in return for obtaining service.
- Unbundled: The consent is kept separate from other terms and conditions or issues being communicated to the individual.
- Opt-in, not opt-out: The GDPR requires a statement, or another affirmative action gives the consent.
- Informed: The consent must be well advised to the individual level.
- The right of withdrawal: The individual user holds the power to a withdrawal of consent at any time.
-
Appointing an independent data protection officer
One of the main GDPR highlights is an appointment of a mandatory data protection officer or DPO. The appointment is compulsory for a specific data controllers and processors to appoint a DPO, namely:
- Public bodies (Except for courts acting in their judicial capacity.)
- In organizations where a large scale of data is handled with corresponding people and needs regular and systematic motoring.
- In organizations where the designated people are in a job of handling special categories of personal data or personal data relating to criminal convictions and offenses at a large scale.
-
Security breach notifications deadline:
There is a specific list of obligations for both the data controller and the on processors available. However, it is clearly stated in GDPR data protection that the data controller must notify the owner of the information within 72 hours in case of any data breach.
-
Individual rights to their personal data:
Key rights of individuals under GDPR data privacy are as follows.
- The right to data access
- The right to rectification
- The right to be forgotten
- The right to restrict processing
- The right to object to the processing
- The right to data portability
- The right to not to be evaluated based on automated processing including profiling
-
CROSS Border Data transfer:
Cross-border data, the transfer can take place under following mechanisms:
- Agreement between public bodies
- Administrative arrangements between public bodies
- Binding corporate rules
- DPC-approved data transfer clauses
- Codes of conduct
- Certification
-
One stop shop for data protection regulation
Regardless of the EU state, the GDPR will act as one-stop data protection regulation. It means if an organization has an establishment in some states, the data protection supervisory activates across the EU. There will be a leading authority, which will work closely with all the other concerned body. In this case, the critical issues are:
- Where are decision been taken?
- What entity has the power to implement decisions?
- Location of directors.
-
Data protection obligation
While protecting the data by design and default, the GDPR suggests the controller take the following measures:
- Minimize the processing of personal data.
- Pseudonymization personal data as soon as possible.
- Have complete transparency about the functions and processing of personal data.
- Enable the data subject to monitor data processing.
Although the GDPR data protection has implemented in Europe, it does not seeks any further description about why it has a global impact. GDPR applies to every company who deals with any users holding EU citizenship. Thus in this era of mass digitalization, the company went genuinely global. Therefore, it automatically falls to almost every organization that deals with user data. Therefore, the question of latest GDPR impact is very much valid and can easily be understood.