On May 25, 2018, GDPR (General Data Protection Regulation or General Rules of Data Protection) or EU Regulation 679/2016 came into effect. Although voted on 24 May 2016, the European Parliament gave a 2-year respite to comply with the new regulation for all entities that deal with personal data of individuals. This regulation is not the first of its kind, each EU Member State or not, has had a law or regulation on personal data protection, in the case of Romania it is Law 677/2001 supervised by the National Supervisory Authority for Personal Data Processing , but it is the first regulation to harmonize the legislation on personal data protection across Europe.
The new regulation must be subjected to any entity that controls or processes personal data of citizens of the European Union. Regardless of the geographical location of the entity if it is in a place where national law is applied under public international law then the GDPR regulation will also apply to it.
Personal data means any information about an identified or identifiable individual. That is, a person who can be identified directly or indirectly, in particular by reference to an identifying element such as a name, an identification number, location data, an online identifier, or one or more specific elements, of his or her physical identity , physiological, genetic, psychic, economic, cultural or social. In order for the natural person owner of the personal data to have a higher control over these data and implicitly on their processing, GDPR establishes the following rights :
- the right to be informed
- the right of access
- the right to rectification
- the right to deletion
- the right to restrict processing
- the right to data portability
- the right to object
- rights related to automated and profiling decisions
By the right to be informed, the GDPR establishes that the entity wishing to process personal data will have to present both the rights that the data subject will have on the respective person and all the elements involved in performing such processing in as transparent a way as possible. Specifically, the information transmitted should be:
- offered for free
- written in plain and simple language
The Regulation also imposes some major obligations on entities working with personal data, obligations which, if not observed, may be penalized with huge fines of up to 4% of the global fiscal value or 20 million EURO.
One of the main obligations relates to obtaining the consent of the data subject prior to any processing of his data.
Consent must be requested in a readable and easy-to-read format, accompanied by a clear explanation of the purpose for which the data are processed.
Reporting of any security incident that poses a risk to individual rights and freedoms must be communicated to the reporting authorities within a maximum of 72 hours from the time the incident was detected.
Processors are also required to obey a principle of responsibility. This principle can bring to light a multitude of technical and organizational measures for any entity in terms of processing that takes place in a more secure, confidential, documented and of course insured enviroment.
At Hostico, we have always tried to work with customers as transparently as possible, responding to all of their requests, but in order to comply with the new regulation, we have made both web and physical security improvements.
These will be updated as need arises, but will always be kept in line with the GDPR regulation.