In our century of total digitalization and transfer of huge amounts of data to electronic registers and databases, as well as poor protection against computer attacks, it is not so difficult to commit crimes connected with personal data (PD) misuse.
Therefore, in the last decade especially, much attention is focused on protecting the interests of PD subjects, as well as preventing cases of identity theft, which are quite common in the European Union countries.
How can you privacy be protected, what are the universal GDPR rules for data collecting and processing – you will find answers to there questions in this article.
The rules of self-defence
Nowadays, large data aggregators collect and exchange both personal and depersonalized data, and this is not a secret for professionals, which can not be said about the PD subjects themselves.
Repeated cases have been registered, when the data of one person is used by several persons, and the individual is absolutely unaware of the fact that not only his/her data, but also different kinds of his assets were used by unauthorized persons, who have at their disposal a sufficient amount of personal information about him/her.
To prevent this and other unlawful practices, at some point, there was a need to identify general rules, that is, the conditions for the data exchange and acquisition, so that a person could protect his personal data, having detailed information about where and what information about him/her is utilized. Accordingly, the need has ripened to limit the dissemination of this data or, conversely, to provide access in order to obtain benefits and better services.
To improve the situation and ensure more efficient protection of PD, in May 2018, new GDPR Personal Data Processing Rules were introduced
GDPR enhances rights and freedoms of the EU citizens under the 1995 EU Data Protection Directive (95/46/EC).
This new regulation gives Supervisory Authorities more powers to take enforcement action on those organisations who fail in their duty to uphold those rights.
GDPR rules for data collecting and processing
The regulation provides standards for data protection and privacy in the European Union. One of its main objectives is to define the rules that protect a natural person’s data. This person is referred to as data subject.
Other actors are the data controllers, ie companies collecting and owing the data, and the data processors, ie the entities analysing the data.
The duty of both is to keep the data safe. They are both obliged to ensure that the data is accessible and have to inform data subjects and ask their consent before data is processed.
What are the rights of data subjects?
Among these are the ability to access and correct their data, to prevent it being used for certain analysis or in a certain context, which are not desirable for the PD subject, and to be able to have it erased.
The main changes in the processing and storage of personal data introduced by the GDPR combine three points:
- Companies must provide data to the user about the purpose of collecting information;
- New documentation and the need to register internal data processing;
- Obligation to report violations within 72 hours (in case of data leakage or attempted hacking of resources, the company must inform the local regulator about this within the prescribed time).
Fintech in Focus
Data protection is becoming a primary concern, as well as the threat of data loss. Therefore, the regulation is relevant especially for Fintech companies that usually operate with data of individuals, regardless of whether those individuals are their customers, or they are a service provider to someone else owing the customer relationship.
Implementation of GDPR requires huge investments not only in infrastructure, but also in security services, which may not be affordable for small companies. But this is a prerequisite for the optimal level of protection of personal information.
Should you need any legal advice regarding the development of company rules for GDPR compliance, you are welcome to IQDecision UK, where our competent staff will provide you all necessary help. You can also order a separate set of consultations regarding the company GDPR compliance issues.
EU GDPR compliance requirements
The regulation applies mostly to electronically held personal data, and where either controller or processor is established. Not only controllers or processors inside the EU, but also outside the EU are covered if they offer goods or services in the EU, and in case they monitor data subject’s behaviour to the extent that behaviour takes place in the EU.
Companies must clearly understand their role - whether they are a data controller or a data processor under this regulation. If the answer to at least one of those questions is yes – which for many companies it will be – then they must ensure that they comply with the applicable parts of this regulation. Fines for non-compliance can be very high at up to the bigger of €20m or 4% turnover.
If you are looking for legal advice on GDPR requirements and standards in the EU, look no further!
Our IQ Decision profile lawyers specializing on this specific matters, will provide you with comprehensive answers to all of your questions in the framework of individual consultation.