The new GDPR Regulations of the European Union, known as the General Data Protection Regulation, is a new reference text on the protection of personal data.
It strengthens and unifies data protection for individuals within the Union, particularly in view of the rise of digital technology in everyday life.
It also aims to help companies set up and structure a standardized and more transparent governance of collected data in order to facilitate the implementation of value-added analytical programs (improved customer knowledge, better risk management, fraud and piracy, etc.).
After four years of negotiations, the new European Regulations were finally adopted by the European Parliament on the 14th of April 2016. Its provisions are directly applicable in all 28 EU Member States as from 25 May 2018. It also replaces the Personal Data Protection Directive adopted in 1995.
Main objectives
The main objectives of the GDPR are to increase both the protection of the persons concerned by the processing of their personal data and the responsibility and accountability of those involved in such processing (bodies and companies). The aim is therefore to give citizens back control over their personal data, while simplifying the regulatory environment for businesses and other economic and social players.
All the latter, whatever their size – small, medium or large – are thus concerned, as soon as they collect and process so-called personal data.
Any data relating to an identified or identifiable physical person (surname, first name, e-mail address, telephone number, photograph, subscriber number, account number or loyalty card number, for example) is included.
The GDPR aims to secure this data against abuse, fraud and piracy of all kinds, while giving new rights to its owners and harmonizing the rules at European level.
To collect and store personal data, it will therefore become necessary to obtain the consent of individuals and to take into account the fact that certain so-called sensitive information (religion, sexual orientation, origins, disabilities, criminal record, health conditions, etc…) cannot be requested nor collected, except in exceptional cases.
Every person will have a right to legal oblivion, to rectify, or (and this is new) to the “portability” of his or her data (the right for everyone to access and re-use their own data in the same form as they were previously collected).
How will the GDPR be deployed?
Each country in Europe (including the UK) has published several texts to help companies to comply; sanctions and penalties are provided in case of breaches but tolerances and delays will be applied, in order to give them time to adapt.
The first step for companies will be to produce a “status report” of the stored data and to proceed to sorting and other updates: what is the nature are these data, how are they used, how long are they kept, etc.
Data Protection Officers should thus be appointed (internally within the company or externally).
Companies will have to inform the individuals concerned (customers, prospects, employees, candidates, etc.) on how their “personal data” are being used.
They must also ensure that their partners, suppliers and other subcontractors work in compliance with the GDPR, by reporting any practice deemed to be out of standard, within 48 hours.
The AURES Group has been working to bring the GDPR into compliance for several months and will keep its customers, partners and employees regularly informed on the progress of its projects in this area.
For additional information on the GDPR and its implementation:
https://ec.europa.eu/info/law/law-topic/data-protection_en
https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
http://eur-lex.europa.eu/eli/reg/2016/679/oj
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
https://www.cnil.fr/fr/textes-officiels-europeens-protection-donnees