When EU regulators published the first draft of the General Data Protection Regulation (GDPR) more than four years ago, the document was hailed as one of the most important developments in protecting consumer data. In the four years since, companies around the world have been scrambling to understand how the law applies to them. It hasn’t been easy.
Your company might need to comply even if you are not physically located in the EU. If you’re not sure how the legislation affects you, your best bet is to contact a GDPR consultant for advice. An experienced consultant is the most qualified to assist. In the meantime, here are five things you might not know about the EU’s GDPR:
- 1. It Updated Previous Legislation
One of the most common misconceptions about the GDPR is that it was entirely new back in 2016. Nothing could be further from the truth. While some of its provisions were new, the bulk of the legislation was meant to update previous legislative directives, like the Data Protection Directive 1995.
This explains why so many regulators were so keen on getting the GDPR developed and implemented as quickly as possible. Some of the issues discussed in the legislation had not been touched since the 1990s. At the speed at which digital communications have evolved, it was no stretch to say that most of the older rules were all but impossible to apply in the modern environment.
In its implementation, the GDPR superseded the Data Protection Act 1998. It is now the most up-to-date legislation of its kind and the final authority on data protection within the EU.
- 2. It Reaches Beyond the EU
It can be quite a shock for companies outside the EU to receive letters from regulators inquiring about their compliance. It happens, nonetheless. Why? Because the GDPR reaches beyond EU borders. The legislation requires companies based on foreign soil to still comply if they do business in the EU.
There are several qualifications a company would be required to meet in order to have to comply, but the basic rule states that compliance is necessary for companies that have employees or customers in the EU. So even a business in Kenya would have to comply if it operated in the EU and met the other qualifications.
- 3. It Treats Data Differently
One of the reasons the GDPR reaches so far beyond EU borders is that it applies to so many different kinds of data. More importantly, the legislation treats certain kinds of data differently. For example, there are a few categories of sensitive data that are afforded greater protection under the law. This more sensitive data includes things like:
- sexual identity or orientation
- ethnic and racial origins
- political leanings
- religious beliefs and affiliations
- genetic and biometric information
- general health information
- trade union membership.
The more sensitive the data, the greater the obligations companies have to protect that data. EU regulators take sensitive personal data very seriously. They are bound and determined that companies doing business within their borders take every reasonable step to protect that data.
- 4. It Strives for Data Minimisation
Holding up the entire GDPR is the fundamental principle of data minimisation. In other words, the legislation strives to keep the amount of data collected and processed to a minimum. Companies are encouraged by the rules to collect only as much information as is necessary to do business. They are also encouraged to delete data that is no longer needed.
What does this look like practically? Imagine a retail business looking to sign people up for its newsletter. That company would have no need to ask about political opinions or sexual orientation. Such information is not necessary to maintain a mailing list.
- 5. Customers Have Rights
Did you know that under the GDPR, customers have certain rights regarding their information? For example, they can request the companies they deal with provide a detailed accounting of all of the personal information they store or process. Customers need only to submit a formal request.
Requests must be responded to within one month. Moreover, companies cannot charge for the report. Customers can make a request in writing or verbally. Requests can even be submitted through social media.
Another customer right is the right to be forgotten. If a customer requests that a company eliminate all of their personal information for whatever reason, that company must comply. Companies do not have the right to hold on to customer data once a request to be forgotten has been submitted.
This gives customers a lot of power over how their data is processed and stored. Unfortunately, many consumers do not know they have this right. Companies are expected to inform customers of the right should any complaints to that effect arise.
Is your company required to comply with the GDPR? If you’re not sure, don’t take any chances. Work with a consultant or do the research on your own. The last thing you want is for your company to be found out of compliance.