Data protection law has become a hot topic in recent years. The European Union (EU) recently passed new legislation called GDPR, which aims to give individuals greater control over their personal information.
To have more information about data protection law, let us tackle more below.
Introducing With Data Protection Law
Data protection law is applicable in the EU and any company that has an operation in the EU needs to follow it. It can affect how companies store and use the data of their customers.
The GDPR is a regulation and applies directly to all EU member states. The purpose of the GDPR is to give individuals greater control over their personal information.
It gives customers more rights over how companies collect, process, store, and use their data. The GDPR sets out specific rules that must be followed by companies that want to handle the personal data of individuals located in the EU.
While there are similarities with UK law, it also has some important differences. For example, it includes a broader definition of what constitutes personal data.
And it also increases penalties for non-compliance. The GDPR has been effective from May 2018 onwards, replacing the 1995 Data Protection Directive.
As the main instrument for protecting personal data in European Union member states.
Companies that deal with data processing or storage of EU citizens must comply. With the GDPR requirements or face fines of up to 20 million euros or 4% of its annual global turnover, whichever is higher.
How does Data Protection Law work?
To understand how data protection law works, let us see below:
1: Identify If Your Company Needs To Follow Data Protection Law Or Not:
Data protection law only applies to companies that store or process personal information about citizens located within an EU country. If your company does not have any operations in Europe then it does not have to follow the GDPR rules.
However, if you do have operations in Europe (e.g., customers residing there) then your business must comply with the GDPR rules.
2: Understand What Constitutes Personal Data:
Personal data is any information relating to a person who can be identified directly or indirectly (e.g., name, email address, ID card number). Personal data can be factual (e.g., name) or an opinion (e.g., age).
The GDPR protects all personal information including name and email address. But not a company’s company registration number as this is not considered a person’s identity under general European Union law (i.e., indirect identification).
3: Identify The Source Of Personal Data:
The GDPR requires that the data subject provide clear and specific consent to the use of their data. If a company relies on consent as a legal basis for processing personal information.
Then it must ensure that the individual has consented to that specific procedure. For example, if a company wants to process an individual’s data for marketing purposes, then it must obtain separate consent to do that.
4: Identity What You Are Going To Do With The Data:
The GDPR requires that companies have a legal basis for processing an individual’s personal information. The legal bases available under the GDPR are:
If the company relies on consent as a legal basis. Then it must ensure that the individual has consented to that specific procedure.
Also, any other purpose(s) for which consent is being relied on.