Today, the General Data Protection Regulation (GDPR) is finally coming into force. If you’re being overwhelmed during the past weeks with emails from companies about updates to their privacy policies, that’s the reason why.
GDPR is the reference text of the European Union concerning the protection of personal data for European citizens. Its adoption marks a desire to reform and harmonize the rules of data protection with the European Union.
It concerns companies, associations, public actors and their subcontractors. Most importantly, it encompasses companies whose head offices are outside the EU but whose operating in the EU and on data from European citizens.
The new regulation aims to give citizens full control over their personal data while trying not to limit the development of companies. The purpose of the RGPD is to give more visibility and control over personal data. Indeed, in order that citizens agree more easily to share their data, the RGPD requests that all the controllers guarantee to the users a certain number of rights: a clear information on the use which will be made of their data, a possibility for them to consult the data used, to modify or delete them, etc. Even though many of these rights already existed, their exercise was previously tedious. The GDPR creates major principles pursuing a better data protection:
- Accountability: It is up to the company to take steps to comply with the GDPR, and to be able to demonstrate its compliance during controls.
- Privacy by design: Data protection must be taken into account as soon as the product or service is designed.
- Security by default: this reinforces the role of security in the information system. It must be secured at all levels with access control or at least a system to prevent security breaches. To ensure this, Data Protection Officers are created. Their role is to ensure compliance with the GDPR.
- Impact study: The GDPR demands an impact study on the protection of personal data before the implementation of new data processing that could present risks of infringement of citizens’ rights and freedoms. It will also have to provide measures to reduce this impact.
To ensure the companies’ compliance with the GDPR, sanctions are set up. They can reach over 20 million euros or 4% of the annual turnover worldwide. By unifying practices in each state, the Commission wants to make it easier for European digital players to access this market of 500 million potential customers, and to rebalance the competition with non-European actors, GAFA (Google, Apple, Facebook, Amazon). Indeed, they will be subject to the same constraints when they want to manipulate the data of European citizens thereby it gives to the GDPR a global scope.
Ludivine Plenchette
For further information:
http://www.eu-logos.org/?p=22523
https://www.cnil.fr/fr/principes-cles/rgpd-se-preparer-en-6-etapes
https://twitter.com/CNIL/status/999671537786552320
GDPR text: https://www.cnil.fr/fr/reglement-europeen-protection-donnees/