What is GDPR?
General Data Protection Regulation
You may not have heard of this new regulation, but every company around the world that is currently storing or using data from any person(s) in the European Union (EU) have been working behind the scenes to become GDPR “compliant” by May 25, 2018.
GDPR replaces the Data Protection Directive 95/46/EC that was put in place by the EU in October 1995.
GDPR’s primary goal is to give control back to EU residents over their personal data. GDPR was approved by the EU Parliament in April 2016.
Key GDPR Terminology
- Data Controller: Think of this as the company or entity that’s collecting your data. i.e. Facebook or Amazon
- Data Processor: Any third-party that’s processing, storing or manipulating your data on behalf of the Data Controller.
- Data Subject: You! The provider of data to either the Data Controller or Data Processor
- Personal Data: Any personally identifiable information (PII) that you provide to the Data Processor or Data Controller.
Important consumer protections covered by GDPR:
- Notification of a data breach: In my previous post Data.Data.Data. the majority of the last data breaches consumers weren’t alerted that their PII was compromised until weeks and sometimes months later after the incident. Under GDPR; in EU member states if the data breach *“ result[s] in a risk for the rights and freedoms of individuals” the Data Processor must notify the Data Subject(s) within 72 hours or “without undue delay”. It took Yahoo! three years to declare their first data breach from 2013!
- Subjects’ right to be removed: Forget me not! Also known as “Data Erasure”, this one is significant! As a Data Subject, you have the right to request that all your data be expunged from the Data Processors and also any third parties connected to the Data Processor or Data Controller.
- Data Portability: All Data Subjects have the ability to request and obtain from Data Controllers and Data Processors any and all data collected on the Data Subject in a ‘commonly use and [machine-readable] format’ within a specific amount of time after making the request.
I think the European Union is implementing the proper steps to ensure that Data Subjects have comprehensive control of how their data is being used.