Personal data protection has become vital due to the growing number of data breaches in today's digital world. In Europe, new regulations began to operate in 2018, affecting all companies worldwide that work with residents of the European Union (EU). These laws set new standards for data security and impose high penalties for violations.
One of the most important laws in this area is the General Data Protection Regulation (GDPR). It was adopted in the EU in 2016 and went into effect on May 25, 2018. The GDPR defines the rules for processing and protecting the personal data of EU citizens.
The GDPR also requires companies to obtain explicit consent from their users for the processing of their personal data. Users have the right to withdraw their consent at any time and companies must delete all data associated with that user. In addition, the GDPR establishes the rights of users to access, modify and delete their personal data. Companies must also ensure the security of personal data and notify breaches within 72 hours of discovery.
Within data protection in the context of the GDPR, two parties can be distinguished: controlling and processing. The controlling party is the organizations that collect and process user data, while the processing party includes IT companies that provide the technical resources and infrastructure to process this data.
The GDPR affects all parties dealing with the personal data of EU citizens, regardless of location. Therefore this law also affects online businesses and platforms that accept international clients or members.
Since the introduction of the GDPR, controlling parties are required to process the EU user’s data with complete clarity. Once the purpose is achieved and there is no legitimate need for the data for a particular user, it must be deleted so that personal data is not stored endlessly on servers that can be hacked at any time.
The concept of personal data in the European Union has received a broader definition because of the enactment of the GDPR. Now the information about the PC and the user's location, such as IP address, is considered personal data. Financial, psychological, or ethnic history, as well as any information that can be used to identify a person, is also included in this category. Notable that anonymous data or pseudonyms, if they can be easily correlated with a specific person, then such information is considered personal. In addition, any information already under the Data Protection Act will also be categorized as personal data under the GDPR.
According to the GDPR, people have the right to access their personal data held by the controller. Controllers must respond to user requests within 30 days. Involved parties must maintain a policy of clarity regarding how data is collected, used, and processed. The language of the documents explaining these processes should be simple and understandable.
Changes to data processing rules came into effect in the European Union on May 25, 2018. Many companies had to rethink how they collect, use, and store information about their customers and users.
Updating systems process to comply with GDPR can be difficult for some companies. Often there may not be enough infrastructure to meet all requirements. In this case, it is best to contact a consulting firm or a security company to assist in the full system compliance process.
The main consequence organizations of non-compliance with the rules are huge fines. Responsible for a data breach can be an external hacker, an insider, or an unidentified source - this does not matter under the GDPR, which places the responsibility entirely on the organization itself.