Knowing what the GDPR Definition is and what it means for you and your business is crucially important. The European Union has a new law on the books for protecting data privacy. It’s the General Data Protection Regulation, more commonly called the GDPR. This Friday, it goes into effect in the EU’s 28 member states.
The law changes the rules for companies that collect, store or process large amounts of information on residents of the EU, requiring more openness about what data they have and who they share it with.
That means you, Facebook.
It also means any company with a digital presence in the EU (which for the time being still includes the UK) will have to comply with the law or face steep penalties.
The deadline to comply with the law has been looming for two years, ever since the European Parliament adopted it in April 2016. When the Cambridge Analytica scandal at Facebook emerged in March, privacy advocates found an eye-catching example of why internet users might want more control over who can access their data.
“I think the GDPR, in general, is going to be a very positive step for the internet.” ~ Facebook CEO Mark Zuckerberg
The GDPR came up several times duringin April, and it was a major focus Tuesday when members of the . EU officials said to questions about the GDPR, and he promised to follow up with answers in writing.
“I think the GDPR, in general, is going to be a very positive step for the internet,” Zuckerberg told US lawmakers, going on to discuss Facebook’s plans to, and become about on the site.
It’s not just the household names of the internet like Facebook that will have to comply. Health care providers, insurers, banks and any other company dealing with sensitive personal data will also be on the hook.
The GDPR will have a significant impact on our online footprints and how the apps and services we use, protect or exploit them. Here’s what you need to know.
The General Data Protection Regulation is a sweeping law that gives residents of the European Union more control over their personal data and seeks to clarify rules and responsibilities for online services with European users. It replaces the EU’s previous law governing data protection, passed in 1995, and makes some dramatic changes to existing conventions.
The regulation expands the scope of what companies must consider personal data, and it requires them to closely track the data they’ve stored on EU residents. If someone in the EU wants a company to delete his or her data, send copies of the data, or correct an error in the data, companies have to comply.
The law goes even further than that. EU residents can now object to specific ways companies are using their data, saying that they don’t mind if a company keeps the data as long as it stops using the info for a particular purpose.
What’s more, the law requires companies to notify users within 72 hours of a data breach — something very few companies currently do. For example, during the Equifax breach that exposed the personal information of millions of people in the US and beyond, the company spent weeks stopping the attack and then planning how to deal with the damage before informing the public.
Each member state of the EU will have its own enforcement mechanism, with one GDPR supervisor per country.
Residents can make complaints to the governing body in their respective country. Companies found in violation of the law will face fines that could be very steep. The maximum fine for a GDPR violation is 20 million euros or 4 percent of a company’s annual global revenue from the year before, whichever is higher.
Friday. The regulation was ratified in 2016 and organizations were given a two-year “implementation period” to prepare. This grace period ends on May 25, 2018, when enforcement begins in earnest.
No — and this is why it’s major international news. The GDPR applies to any organization that collects, processes, manages or stores the data of European citizens. This includes most major online services and businesses that collect, process, manage or store data. Because of this, the GDPR essentially sets a new global standard for data protection.
The regulation applies to a broad array of personal data, including a person’s name and government ID numbers. It also protects information that can show a person’s activity both online and in the real world. That includes location information, as well as IP addresses, cookies and other data that lets companies track users as they browse the internet.
Many large online services and social-media companies are updating their privacy policies and terms of service to prepare for the new legislation. Facebook’s response is sure to be closely scrutinized by European regulators, given the Cambridge Analytica scandal as well as past concerns about the company’s data collection.
These include the kerfuffle in 2007 over the company’s controversial Beacon advertising program that broadcast user activity on partner sites. And don’t forget user uproar when Facebook and its subsidiary Instagram. The GDPR makes it much clearer that these kinds of activities aren’t OK.
In his testimony during a joint hearing of the Senate’s Judiciary and Commerce Committees on April 10, Zuckerberg stated his support “in principle” for a GDPR-like opt-in standard for users before they give up their data — but he didn’t commit, adding “details matter.” (, which he left open during a short break, included a warning: “Don’t say we already do what GDPR requires.”)
But those rights don’t have the force of law behind them, which means you can’t file a complaint against Microsoft for violating the GDPR if you aren’t an EU resident. While you enjoy these rights only as long as a company says you do, it does show that the European regulations are reshaping the way major companies approach user data.
Seems not. In an interview with Bloomberg, EU Justice Commissioner Vera Jourova said the new GDPR rules “cannot be applied in this [Cambridge Analytica scandal], because there’s no retroactivity possible.”
The GDPR requires companies that have lost control over customer data, or that’ve been hacked, to notify users within 72 hours. That’s one of the rules that carries the maximum penalty. For instance, if Facebook was found to have failed to comply, it could be liable for a $1.6 billion penalty (based on its 2016 annual revenue of $40 billion).
The GDPR requires businesses and organizations to obtain parental consent to process the personal data of children under the age of 16.
No. Most states have their own laws governing data breaches and notification requirements, and most apply to only a limited type of data: Social Security numbers and health or financial information.
on how public companies should disclose breaches and risks.
Californians could be voting on a data privacy law this year, the California Consumer Personal Information Disclosure and Sale Initiative. That would let residents request copies of their data from companies, find out which third parties companies have sold their data to, and ask companies not to sell or share their personal data.
This blog post was shared from CNET, all rights are theirs and credit goes to the author.