European Union’s General Data Protection Regulations - What It Means For Your Business

As most of you already know the EU’s primary personal data law, the Data Protection Directive 95/46/ec was replaced by the General Data Protection Regulation (GDPR) which took effect on 25 May 2018. Some considered this to be the biggest and most important change in data privacy in the past 20 years.  In this guide, we explain the new regulations and how they may impact your business.

What Is the GDPR?

The General Data Protection Regulation (GDPR) aims to create consistent protection of consumers and the personal data of all individuals within the European Union (EU) and the European Economic Area (EEA). It standardizes data protection law across all 28 EU countries, removing the need for each state to write their own data protection laws. The GDPR also stipulates that any company that markets goods or services to EU residents, regardless of its geographical location, adhere to the regulation.

What Are The Differences between the DPD and the GDPR?

The most important change with the new GDPR is the definition of personal data and processing of personal data. Its focus is to give consumers control of their personal data collected by companies. Which means it applies to any organization that sells, services, or monitors the behavior of people.

What is the definition of "personal data"?

Under GDPR, personal data is any information relating to an "identifiable person". Identifiable information includes such things as a name, ID number, location, ethnicity or political standing. Data doesn't have to be confidential or sensitive to qualify as "personal". Personal data includes but is not limited to; name, email, IP address, 3rd party hosted services, email form signups, and contact forms.  To better understand the regulation, take a look at the publication of the regulations in the Official Journal of the European Union, which defines all terms related to the law. As defined broadly under European Union competition law the law does not apply to lawful interception, statistical or scientific analysis or the processing of personal data in a purely personal activity.

What is the punishment for non-compliance?

Non-compliance can result in fines up to 4 percent of the organizations annual global turnover or 20 million euros ($24.6 million), whichever is bigger. There is however a tiered approach to fines, e.g. a company can be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a breach, or not conducting an impact assessment. It is important to note that these rules apply to both controllers and processors.

Privacy Shield

AVOXI complies with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use and retention of Personal Information from European Union member countries and Switzerland to the United States, respectively. AVOXI has certified to the Department of Commerce that it adheres to the Privacy Shield Principles of notice, choice, and accountability for the onward transfer, and security of data.  If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view AVOXI certification, please visit http://www.privacyshield.gov/.

Closing Thoughts

While these changes may seem confusing and worrisome the regulation if focused on some of the world's biggest technology companies, including Facebook and Google. If you have any questions or concerns you can view the  FAQ section of the GDPR portal.  You can also view AVOXI   privacy policy which is also available on our website or email us at [email protected].