Are you prepared to meet the May 25th, 2018 requirements for the General Data Protection Regulation (GDPR)? This is a data protection and privacy law passed in the European Union, and applies to more than just organizations based in the EU. If your organization collects, stores, transfers, or uses the personal information of European Union Citizens (including employees, contractors, clients, donors, customers, etc.) – GDPR applies to you.
IS THE GDPR APPLICABLE TO OUR ORGANIZATION?
WHAT DO I NEED TO KNOW?
The General Data Protection Regulation (GDPR) expands privacy rights for individuals. EU citizens have the right to:
- Obtain confirmation as to whether or not their personal data is being processed, where and for what purpose (Right to Access)
- Access their personal data (Right to Access)
- Correct errors in their personal data (Right to Access)
- Erase their personal data (Right to be Forgotten)
- Object to having their personal data processed (Right to be Forgotten)
- Receive a copy of any personal data stored, and transfer that data to another vendor/controller (Data Portability)
WHAT CONSTITUTES “PERSONAL DATA”?
Any singular piece or combination of information that can be directly linked back to the identity of a person or data subject.
Some common examples include:
- Names
- Photos
- E-mail Addresses
- Banking or Financial Information
- Social Media Information
- Medical Information
- Phone Numbers
- Date of Birth
- Address
- Salary Information
KEY POINTS TO UNDERSTAND
For an organization to have lawful rights to process personal data of EU citizens, it must have obtained agreement or permission from the individual.
The European Union plans to enforce the GDPR regulation even in non-EU countries.
Data subjects should clearly be able to opt-in or opt-out.
Organizations need to identify who is responsible for the data and its security.
Organizations that breach GDPR can face significant fines.
The full regulation can be found online at https://www.eugdpr.org/