What are GDPR regulations?
General Data Protection Regulation (GDPR) rules, a groundbreaking set of laws setting limits on the ways organizations can gather, transmit, and use information gathered from individuals online, went into effect in the European Union on May 25, 2018, and has impacted data privacy around the world.
GDPR unified all rules established by each state in the EU separately, codifying them into one collective set of data regulations. Every company that stores personalized data of EU citizens must, by law, comply with GDPR rules or face a fine of up to €20 million, or 4 percent of the company’s global annual turnover. GDPR applies to data controllers, processors or the data subjects based in the EU, and any organization outside the European Union that collects the personal data of EU residents for processing.
Some highlights of GDPR include:
- Consent: Customers must give the organization their consent to use their personal data, while companies must inform their customers about the nature of each type of data they use and be able to prove they have consent from the individual whose data it is. Consent must be given freely and specifically, and customers have the right to withdraw consent at any time or not allow their data to be used for other insurance activities, such as marketing. Customers can also request that the insurance company delete their personal data where it isn’t required for its original use.
- Data breaches: Any breaches of personal data must be reported to regulators within 72 hours and in some cases, to the affected individuals themselves. Serious breaches could result in fines of up to €20m, or 4% of the company’s worldwide annual turnover – whichever is the highest of the two.
- Unified regulation: GDPR protection standards are extraterritorial, meaning that all businesses, no matter where they are located, must comply when doing business in an EU member state. All organizations within the EU are bound by the same rules, regardless of where they are established.
- Increased penalties: Organisations in breach of the provisions of the GDPR will face significantly higher fines: €10 million or 2% of the company’s global turnover (all sales, net of taxes) for offenses related to, among others, child consent, transparency of information and communication, data processing, security, storage, breach, and breach notification; and €20 million or 4% of the company’s global turnover for offenses related to, among others, data processing, consent, data subject rights, non-compliance with DPR order, transfer of data to a third party. The penalty is whichever amount is higher.