GDPR – General Data Protection Regulation
GRPR is a regulation in European Law designed to protect the privacy of individuals within the European Union. GDPR was adopted on 14 April 2016 and became enforceable beginning 25 May 2018.
GRPR contains provisions that all organizations must comply with concerning the storage and processing of the personal data of individuals regardless of the organisations’ location or the citizenship of the individual.
Storing Personal Data
Organisations must put in place secure systems and appropriate processes to safeguard personal data and must ensure that the data is not available publicly without the consent of the individual.
- Systems that access the data should encrypt the transfer of data to and from those systems.
- In the event that the data is compromised, the data should be stored in such a way that it cannot be used to identify the personal details of an individual.
Organisations must obtain unambiguous consent from the individual before storing their data.
Right of Disclosure
Individuals have the right to demand that an organisation provide a portable copy of the data in a common format. Organizations must also notify the individual if their data has been shared with a third party.
Right to Revoke Consent
The individual has the right to revoke their consent and the right to have their data erased in certain circumstances.
Organisations whose core business centres around the regular processing of personal data are required to employ a Data Protection Officer (DPO), who is responsible for managing compliance with the GDPR.
Businesses must report any data breaches that impact the privacy of the individual within 72 hours.
Failure to comply with GDPR may result in a fine of up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.