The RGPD was approved by the EU Parliament in April 2016. The regulation will enter into force after a transitional period of two years and, unlike a guideline, does not require legislation to be approved by the government. This means that it will be in effect on May 25, 2018.
The RGPD not only applies to companies located in the EU, but also applies to companies located outside the EU that offer goods or services or monitor the behavior and information of individuals in the EU. It applies to all companies that process and store the personal data of persons residing in the European Union, regardless of the location of the company.
Companies can be fined up to 4% of the overall annual turnover for breach of the GDPR or EUR 20 million. This is the maximum fine that can be imposed for the most serious infringements, for example, not having the customer's sufficient consent to process data. A company may be fined 2% for failing to keep its records in order (Article 28), not notifying the supervisory authority and the person concerned of a breach or failure to carry out an impact assessment. It is important to note that these rules apply to both controllers and processors - which means that the information in the 'cloud' is not exempt from the implementation of the Scheme.
Any information related to an individual or "Data Subject" that can be used to directly or indirectly identify the person. It can be any element such as a name, a photo, an email address, bank details, "posts" on social networking sites, medical information, or a computer's IP address.
A controller is the entity that determines the purposes, conditions and means of processing personal data, while the processor is an entity that processes personal data on behalf of the controller.
Consent conditions have been strengthened as companies can no longer use long and illegible terms filled with laws, since the request for consent must be given in an intelligible and easily accessible form for the purpose of data processing attached to this consent - which means that it must be unequivocal. Consent should be clear and distinguishable from other subjects and provided intelligibly and easily accessible using clear and simple language. It should be as easy to withdraw consent as it is to give. The explicit consent is only necessary for the processing of sensitive personal data - in this context, it is enough to "opt". However, for non-sensitive data, "unequivocal" consent will suffice.
Parental consent will be required to process the personal data of children under the age of 16 for online services. Member States may legislate for a younger age of consent, but this shall not be less than 13 years.
A regulation is a binding legislative act. It must be fully implemented throughout the EU, while a directive is a legislative act setting out an objective that all EU countries must achieve. However, it is up to individual countries to decide how. It is important to note that the RGPD is a regulation, unlike previous legislation, which is a directive.
DPOs shall be appointed in the case of: (a) public authorities, (b) organizations that carry out systematic large-scale monitoring, or (c) organizations involved in large-scale processing of sensitive personal data. If your organization does not fall into one of these categories, you do not need to name a DPO.
Proposed regulations around data breaches refer mainly to reporting policies of companies that have been breached. Under the GDPR, notification of violation will become mandatory in all Member States where a breach of data is likely to result in a risk to the rights and freedoms of individuals. This must be done within 72 hours of becoming aware of the breach. Data processors will also be required to notify, without undue delay, their customers, the controllers, after they have become aware of a data breach.