The landmark regulation changed everyone’s mindset on how companies worldwide collect and use the personal data of EU citizens.
FREMONT, CA: It was May 25, 2018, a day of confusion in the offices of numerous enterprises in (and often outside) the EU. The companies had sent out several emails to their clients and consumers in the days leading up to that day, asking for their agreement to receive their newsletters, something they had never actually asked for before. Simultaneously, many firms without committed workers were attempting to determine what kind of data they held about their customers and how to manage and preserve it in the future. The General Data Protection Regulation, or GDPR, went into force on that day, radically altering everyone's perspective on the use of personal data by both EU- and non-EU-based organisations that collect, process, and store EU individuals' data. Consumers in Europe now expect companies to comply with the regulation when users click the "Accept" or "Agree" button on company websites' terms and conditions, and it is also assumed that regulatory bodies will monitor the regulation's implementation.
1. GDPR applies to a wide range of data collected:
• Name, address, and ID number, as well as religious beliefs, political affiliation, racial or ethnic origin, and sexual orientation.
• Data concerning health, such as medical issues, blood tests, COVID-19 immunizations, and so on.
• Geolocation, IP addresses, browser history, phone calls, and messages are all examples of communication.
• Other information, such as bank account numbers, purchasing information, and app usage.
2. Companies must adhere to the following rights of citizens:
• The right to know whether and how data is being collected and used, as well as how long it will be kept and shared. The material must be presented straightforwardly and understandably.
• The right to inspect all data processed by a corporation, as well as the reason for its collection or the source from which it was obtained.
• If any piece of data is incomplete or incorrect, citizens have the right to have it corrected.
• The right to be forgotten can be exercised at any time if someone withdraws one‘s consent for a corporation to retain data, if the data is no longer required, or if it was processed improperly.
• As an alternative to data erasure, the right to restrict processing. Users can simply ask that their information not be used for certain purposes. For example, agreement to use data for content personalization in a streaming platform is permissible, but not in marketing activities.
• The right to object to future data processing.
3. It has a worldwide impact.
One may think that this legislation just affects enterprises based in the EU, but its implications are considerably broader. GDPR applies to all enterprises that provide products or services in the EU or process the personal data of any EU citizen. Similarly, data from EU nationals can only be exported to (and used by) nations that have identical privacy laws. The EU, being one of the world's three greatest economies, attracts investment from all over the world, making GDPR a minimal standard required to operate in any of the 27 member nations. It's hardly unexpected that data protection regulators throughout the world have been enacting national legislation in an attempt to standardise the set of standards that businesses must follow.
4. If a data breach occurs, it must be notified within 72 hours of discovery.
One of the most significant changes brought about by GDPR was the requirement for businesses to notify a data breach within three days of becoming aware of it. Until today, the United States' toughest deadline for reporting security breaches was 30 days.
Weekly Brief
Read Also
