Unless you live under a rock, chances are you’ve heard about GDPR since the European Parliament, the EU's law-making body, approved it in April 2016. After 4 years of preparation and debate, it came into effect in May 2018. Some took it easily, some were confused, some prepared for it, some waited until the last minute. The common denominator? Everybody had questions about it. We have set out to finally demystify GDPR a year after its effective date.
GDPR stands for General Data Protection Regulation, and it replaced the Data Protection Directive 95/46/EC and was designed to:
- Harmonize data privacy laws across Europe
- Protect all EU citizens’ data privacy
- Reshape the way organizations approach data privacy
While this might sound like an unnecessarily strict and impossible-to-enforce regulation, the penalties are sky-high: companies in breach of GDPR can be fined up to 4% of annual global revenue or €20 million. Whichever is greater, of course, so it’s undoubtedly a good idea to familiarize yourself with the nuances of GDPR.
Let’s see the key points of GDPR:
Increased territorial scope
One of the biggest, and probably one of the most frowned upon changes is the extended jurisdiction of GDPR “as it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.” The previous directive referred to data process “in context of an establishment” but those happy days are over.
The conditions for consent have been reinforced, and businesses are no longer able to use fine print, illegible texts and legalese. The request for consent must be provided in an easily accessible and understandable form, with the purpose of data processing presented, as well as it must be just as effortless to withdraw consent.
Companies are now mandated to send breach notifications if a data breach is likely to “result in a risk for the rights and freedoms of individuals.” This must be done within 72 hours of having caught the wind of a breach.
Right to access and right to be forgotten
Data subjects now have the right to obtain confirmation from the data controller whether or not their personal data is being processed, for what purpose and where. The controller has to provide this information, free of charge, in an electronic format which is a massive shift towards data transparency. Data subjects also have the right to request their data to be forgotten and erased, even by third parties who might have access to it.
Needless to say, GDPR is a very complex regulation, and many businesses might need help keeping up with it. While a software platform on its own cannot offer a checklist of features to make a company completely GDPR compliant, the tools in Liferay Digital Experience Platform can greatly accelerate your company’s journey toward compliance. If you’re hungry for more information about the connection between GDPR and online marketing, keep your eyes peeled, we’ll be coming back!