What is GDPR?



The entry into force of the General Data Protection Regulation (GDPR) compels companies to prepare to comply with the new law or otherwise face hefty fines. Stay up to date with the changes the legislation implies, and confirm if your company is ready for them..

Fines for companies that do not comply with GDPR can reach up to 20 million euros.

When did the GDPR come into effect?

The General Data Protection Regulation (GDPR) came into effect on May 25th, 2018.

What exactly is the GDPR?

The GDPR is the new European Union (EU) legislation on data protection. It applies to all member-states and replaces the Data Protection Directive of 1995 and several regulations that resulted from it. The goal is to make EU laws more homogenous concerning citizens’ data protection and privacy.

Who is covered by the GDPR?

The new regulations apply to all companies that process the personal data of EU citizens or non-EU citizens that are/have been in the EU. These companies must comply, despite their size, the volume of their business, or where they process citizens’ data.

How do I know if my company is in compliance or not with the GDPR?

Questions and answers on this page can help you understand what the GDPR implies and whether your company complies with the new norms. Having read it, if you still have doubts, you can get in touch with Eurotux to request a detailed technical evaluation of your case. You can also respond to Microsoft’s quick survey to assess if you are or are not in compliance.

What are the fines for non-compliance with GDPR?

Organizations that do not take adequate measures to apply the new regulations risk hefty fines of up to 20 million euros or 4% of the total annual business volume. The GDPR also make companies accountable for the harm caused due to non-compliance, namely when citizens’ data are violated, for instance, in malware attacks. Compensations are also due in cases of interruption or restriction of data transfers, lack of the customer’s consent to data processing, and waiving risk evaluations. These and other penalties can become very costly for companies that do not comply with GDPR.

What requirements does the GDPR impose on companies?

Seven fundamental principles that aim to protect the data of EU citizens and that should guide the procedures of the organizations are the foundation of the new GDPR.

  1. Transparency: companies should handle customers’ data legally and transparently, and all processes must be plainly visible.
  2. Limitation of Purpose: companies should only handle personal data for the purposes they were collected for, as communicated to the data holders.
  3. “Privacy by Default”: companies should guarantee that, by default, they will only handle and store the personal data strictly necessary for the operations consented. 
  4. Accuracy: companies must guarantee that the collected data is correct throughout their processing. Incorrect data should be erased or corrected.
  5. Limitation of the storage period: companies should only keep personal data in their possession for the strictly necessary duration.
  6. Integrity and Confidentiality: companies should guarantee, by technical means, that the data of their customers are adequately protected, avoiding unauthorized or accidental publication or any other such failures.
  7. Responsibility: companies are responsible for complying with the regulations of the GDPR and for any failures resulting from non-compliance.

To what kind of data does the GDPR apply to?

The GDPR applies to personal data, meaning any information related to an identified or identifiable private individual. Personal data include names, photographs, email addresses, banking data, medical information, social network publications, IP addresses, location data, and CCTV images. It covers information stored on databases for employees, sales, and service provision, as well as data submitted by customers on forms. The GDPR also defines a particular category of sensitive personal data, such as genetic and biometric.

What new rights does the GDPR define for owners of personal data?

The GDPR strengthens privacy and security criteria for owners of personal data withheld by companies, imposing a policy of “privacy by design” and “privacy by default”. As such, companies must protect the privacy of personal data from collection to storage, covering their processing until their elimination. Additionally, they must ensure that they only collect the data strictly necessary for the specific purposes XX. Citizens have the right to forgetfulness. Within one month, upon request by the owner, companies must remove or erase personal data from their databases. Citizens also have the right to portability, having the possibility to request companies to transfer their data to a third-party entity at no extra charge. Citizens likewise have the right to restrict the processing of their data, and they can rectify them at any time.

How will the GDPR affect how I collect my customers’ data?

The main change relates to the consent given by the data owners for the respective collection and processing. The GDPR requires a clear consent statement, oral or written, for the specific purpose of the data collection. Companies should also inform the data owner (especially if minor) clearly and transparently about how they process and how long they will store the data collected. Likewise, they must also inform the persons that they have the right to withdraw their consent at any moment. Withdrawing consent determines the removal of their data from databases, backups and any Disaster Recovery infrastructures. The transmission of customer data between companies is covered by the same rule, requiring citizens to state their explicit consent.

And what I store personal data in the Cloud?

The regulation applies regardless of the data’s storage location. Thus the company needs to guarantee that it only transfers data to a cloud that complies with the requisites that apply to any other infrastructure.

My company only processes third party data: do I still need to comply with GDPR?

The GDPR applies to companies that collect and process data for their purposes, determining the finality, conditions, and methods employed – known as controllers. It also applies to companies that process data for third parties – known as processors. Controllers can only resort to processors that comply with the GDPR. Processors must process data according to the instructions of the controllers. Likewise, they should implement security measures and keep track of all processing activities they execute for third parties.

Does the GDPR require the appointment of a Data Protection Officer?

Public companies and organizations are required to appoint a Data Protection Officer. This requirement also applies to private companies that handle sensitive or large-scale personal data. Although not mandatorily, other companies can use this measure to guarantee that all efforts comply with the GDPR.

What does GDPR imply for security failures?

The GDPR requires companies to report security failures to the supervising authority and to the customers whose personal data have been violated within 72 hours of detection. This report must include the extension of the breach, the quantity of affected data and the detailed procedures for containing and fixing the problem. The company must establish preventive measures to improve IT security and prevent future failures.

Does the GDPR have anything to do with data encryption?

The GDPR defines encryption as a security measure against potential security failures. When the privacy of sensitive data is at risk, the GDPR recommends encryption as the appropriate technical measure to avoid threats. Encryption turns data unintelligible when attacked, and companies may not have failures to report as their customers’ data are still safe. Some products and services guarantee robust encryption for static or dynamic data. You can get in touch with Eurotux to learn more about them.

Where should I begin to comply with GDPR?

Your company should begin by assessing how data are processed, resulting in the identification of systems, activities, and employees that interact with personal data. Next, you should conduct a Privacy Impact Assessment and apply its findings to processes, systems, technologies, people, activities, internal regulations, or legal issues.

To learn more:

Switch The Language