You’re likely getting a lot of email from various vendors about the GDPR. It only applies to companies that do or want to do business in the European Union, but some companies in the United States are following suit and matching requirements here regarding data protection for individuals.
It does not necessarily impact how we handle data protection here at Streetsboro Schools since we are not in the business of aggregating, collecting, and selling user data to others. In fact, we take several measures to protect both student and staff data and only disclose the legal minimum to vendors and other partners – enough data to create a username, for example.
Regardless, your personal data in accounts like Twitter, Facebook, and other online services are likely impacted by the now enforceable regulation in the EU, and you will be able to make choices about your data with some of those vendors. It’s important to fully understand how it impacts you as a private citizen, and how you may take steps to protect your data, and yourself.
So, what is the GDPR?
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It also addresses the export of personal data outside the EU and EEA.
The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
Superseding the Data Protection Directive, the regulation contains provisions and requirements pertaining to the processing of personally identifiable information of data subjects inside the European Union.
Business processes that handle personal data must be built with data protection by design and by default*, meaning that personal data must be stored using pseudonymisation or full anonymisation, and use the highest-possible privacy settings by default, so that the data is not available publicly without explicit consent, and cannot be used to identify a subject without additional information stored separately.
*Apps like Facebook and Twitter operate quite the opposite, with the intent of collecting and selling your information – it’s how they make money.
No personal data may be processed unless it is done on a lawful basis specified by the regulation, or if the data controller or processor has received explicit, opt-in consent from the data’s owner. The data owner has the right to revoke this permission at any time.
A processor of personal data must clearly disclose any data collection, declare the lawful basis and purpose for data processing, how long data is being retained, and if it is being shared with any third-parties or outside of the EU. Users have the right to request a portable copy of the data collected by a processor in a common format, and the right to have their data erased under certain circumstances.
Public authorities and businesses whose core activities center around the regular or systematic processing of personal data are required to employ a data protection officer (DPO), who is responsible for managing compliance with the GDPR. Businesses must report any data breaches within 72 hours if they have an adverse effect on user privacy.
It was adopted on 14 April 2016, and after a two-year transition period, became enforceable today, 25 May 2018.
Because the GDPR is a regulation, not a directive, it does not require national governments to pass any enabling legislation and is directly binding and applicable.