Understanding GDPR

Published on 01 September 2024
Updated on 01 September 2024
3 min read
cyber
Understanding GDPR

As a regular internet user, you may have noticed that many companies have updated their privacy policies and sent emails to notify you or that websites are filed with pop-up messages requesting that you accept certain things. This behavior resulted from an effort to comply with the GDPR, or General Data Privacy Regulation.

The official lawmakers describe GDPR as “the most important change in data privacy regulation in Europe in 20 years”. The previous similar legislation was a directive, meaning that it was merely setting a goal for the member states to reach. On the other hand, the actual law was passed as a regulation, obliging the member states to abide by it.

It was approved by the EU Parliament on April 14 2016, and enforced on May 25th 2018, giving organizations a 2-year transition period.

This law applies to all organization all over the world if they offer goods and services to, or monitor the behavior of EU data subjects. Also, the GDPR applies to both the controller (i.e. the requesting party) and the processor (i.e. the entity that processes data for the controller).

GDPR is here to:

  • Protect EU citizens’ data privacy mainly from breaches.
  • Change the way organizations approach data privacy.
  • Give subjects more power over their personal data and the ability to object to how it is collected.

It is meant by personal data every information that can be used to identify a subject (e.g. email addresses, social number, location, IP or username information, etc.)

How can organizations collect data?

Under this law, every entity willing to collect and process personal data must explicitly demand the consent of the subject in a clear way using an easily accessible form. Hence the “accept” statements you may be seeing all over the internet.

To every subject the right to remove their data from the organization’s database, and the action must be executed immediately.

Data subject rights

Having said that, the following are additional rights contained in the regulation:

  • Breach notification: in case of breach, organizations must inform their subjects within 72 hours.
  • Right to access: at any time, any person can request a copy of their data free of charge. Added to this the right to verify whether or not data concerning them is being processed and for what purpose.
  • Privacy by design: organizations are require now to take into account the privacy issues when designing their system, and not approaching it later on as an addition.

Penalties

This is one of the things that organizations need to record: failure to comply with the regulation can result in a fine of up to 4% of annual global turnover or €20 Million depending on which of them is greater.

Related Posts

Cryptography: From Then To Now

6 min read

The fascinating history and evolution of cryptography.

cyber

DNS Security Best Practices

3 min read

The Domain Name System is under the radar.

cyber

Guide to Running Effective Honeypots

4 min read

Know your enemy.

cyber
© 2024 Taoufik Znibae. All rights reserved.
Based on a template by Matheus Fantinel. Powered by SvelteKit. Icons by Iconoir.