GDPR is an updated version of the age-old Data Protective Directive [95/46/EC] of 1995. The decision to upgrade the existing directive did not happen overnight. The proposal for a more comprehensive regulation came jointly from the European Parliament, the Council of the European Union (EU) and European Commission. The main motto of the General Data Protection Regulation (GDPR) is to strengthen the protection of data of the individuals within the EU territory. The law applies to all those EU and non-EU companies who process or deals with private data of EU citizens, irrespective of their location.
June 25, 2012
December 17, 2015
April 14, 2016
May 25, 2018
With the introduction of the new data protection regulation, many policy changes came into light. From stricter compliance checks to hefty fines, GDPR has brought in a massive wave of transformation to make data usage more transparent and organized.
The significant difference between GDPR and its predecessor lies in the type of instruction they are. Unlike the previous policy, GDPR is not a directive. It is a regulation that legally binds all the companies falling under its jurisdiction with stricter laws to follow. Whereas an instruction can only lay out the objectives like a guide, cannot enforce it.
The new regulation makes consent forms more explicit for better transparency when dealing with data. There is no place for unclear and ambiguous to understand consent forms. GDPR makes it compulsory for businesses to explicitly state the facets of consent forms, making it distinguishable from other declaration forms. Also, privacy policies should be mentioned in detail and should be readily accessible to the subject. The customer should have a precise knowledge of what purpose their data will serve before being asked for consent regarding its usage.
According to the new law, the companies handling EU subject’s data must give importance to system design from the beginning. It should not be an add-on for the later part. Right from the start, data controllers must pay attention to designing the system giving priority to privacy concerns. When using new technology to process data, the company must perform a Data Privacy Impact Assessment (DPIA) to find out possible risks
The reach of the previous data protection direction was limited within the EU territory. Companies located in the European Union were only subjected to the directive. However, the new law eliminates territorial boundaries and makes GDPR applicable to all data controllers and processors. As long as your company processes EU subject’s data, you are bound to comply with GDPR. Location is no more a limitation for the data protection law to apply.
Earlier, data subjects did not enjoy as much transparency and control over their data as they are now going to with this GDPR in use. Although, the previous directive also gave EU citizens the right to data the new regulation adds an extra edge to it with a more rigorous approach.
Now under GDPR, the subject has the right to ask the controller to erase their data whenever they want. Also, an individual enjoys the right to access data to verify whether it’s not in wrong use.
Everything related to the processing and use of data should be informed to the individual. As per GDPR, the subject has the right to know for what purpose their data is going to be used.
Under this right, an individual has the freedom to port their data from one controller to another as per their will. They can at any time demand the copy of their data for transferring it to the other.
According to the previous directive, local Data Protection Officer (DPA) had the responsibility to record the activities of the data controllers. But with the new law, companies with large-scale data processing will have to appoint a DPO who will systematically monitor the data processing regularly.
GDPR makes breach notification mandatory. Data controllers must inform their supervisory authority about any data breach incident within 72 hours of learning about it. Also, they must notify the subjects who are at risk due to the breach.
Under GDPR, everyone is responsible for protecting data and accountable for any data breach. Earlier, it was only the data controller who was held for data misuse if any. But, now, both the data processor and controller has to comply with GDPR to avoid mishandling of data. This means that even third-party data processors will also have to follow the compliance norms set by the new EU regulation.
Article 83 of the new regulation clearly states that enterprises failing to comply with GDPR policies will have to bear heavy penalties. The penalty amount can be a maximum of 4% of the global turnover or €20 million of the previous FY, whichever will be greater. However, the fine will be on the basis of the level and the criteria of different types of non-compliance actions. Also besides fine, the company may receive warnings or suspension of their data processing license permanently.
Healthcare industry deals with highly sensitive patient data. Therefore, application of GDPR becomes more stringent and stricter in this sector. Unlike the previous directive, GDPR clearly defines health data and focuses on protecting the patient data also. It brings all the physical and mental health information of an individual under the jurisdiction of ‘health data.’ Hence, data processors and controllers engaged in health data processing have to abide GDPR compliance guidelines at any cost.
We as a marketing database provider in the healthcare industry have always given priority to protecting our client data. It is not that with GDPR coming into play, we have become alert and paying particular attention. While most providers were adversely affected by GDPR, we had an opposite experience. Even before GDPR got implemented, we were ready to face the compliance challenge. A dedicated legal team ensures that we follow all the norms to keep our proceedings legal and wise.
Our team has taken necessary steps to ensure that the data we offer is GDPR compliant-
“Data protection is the need of the hour. It is our joint responsibility to respond to the legal obligations to prevent misuse of data.”
*For any further query about GDPR compliance, visit EU’s official website for first hand and more accurate information.