BRIEFING THE EUROPEAN LAW:
Established from 25 May 2018, GDPR or General Data Protection Regulation, is a European Union (EU) regulatory law for the protection of personal data and privacy of citizens of the EU and EEA (European Economic Area) .
Such regulation provides more privacy to individuals and more power to regulators to take actions against companies that violate this law.
The law also applies to companies located outside the EU that process and store data for individuals residing in the EU. The international transfer of data will also be governed by GDPR laws.
Heavy fines will apply to anyone who fails to comply with the law. The penalties range from € 20 million or 4% of annual global revenue. Whichever is greater.
GDPR has also broadened its definition of what personal data are, and considers such data to be genetic, mental, cultural, economic, and social.
Any company that wants to collect user data must do so clearly and request the consent of the user. Subjective data has the right to be forgotten and deleted from the records immediately.
Parental consent is required to collect personal data from children and adolescents under the age of 16.
All users have the right to request their collected data.
The appointment of an official data protection officer (DPO) will be mandatory for companies that process large volumes of personal data and is considered a good practice for others. Controllers should report any violation of the data that occurs within 72 hours after becoming aware of the violation, unless the violation has a low risk to the individual.
An impact assessment of privacy risks is mandatory for projects where privacy risks are high.
Products, systems, and processes should consider privacy concepts during their development.
Data controllers must secure adequate contracts to govern data processors. And these can be held directly responsible for the security of personal data. Controllers must also have a legal basis for processing and collecting personal data.
International companies will only have to deal with a supervisory data protection authority.
As a way to help companies comply with GDPR to protect personal data and systems the ISO 27001 standard can be a reference model.