What are the general requirements and major impacts of the GDPR, and how does this law differ from data protection legislation in the United States?
The Answer
What are the general requirements?
GDPR requirements can be divided into a few broad categories, although they can also overlap.
• Identification and classification of personal data.
• Implementation of a governance plan for personal data.
• Establish procedures for handling personal data.
• Obtain consent before processing personal data (when consent is the basis for processing).
• Provide data subjects with specific information at the time the personal data is collected.
• Discontinue the processing of personal data.
• Restrict the processing of personal data on request.
• Provide interested parties with a copy of their personal data upon request.
• Protection of personal data through security measures.
• Take general and specific security measures to protect personal data.
• Carry out tests, evaluations and assessments.
• Notification, record keeping and reporting.
• Provide notification of personal data breach to a competent supervisory authority.
• Maintain a record of processing activities.
The main impacts of the GDPR?
It practically impacts all companies because the GDPR brings with it new applications that did not exist in the previous standard. Therefore, all companies are going to be outdated before the application of the standard.
This new data protection regulation will be directly applicable, from the established date, to all organizations that collect, store and process personal information in the event of:
- Offer services to citizens of the European Union residing in the EU.
- Monitor the behavior of these citizens.
This personal information refers to any content by which any person can be directly or indirectly identified (be it name, photos, addresses, website, bank details, etc.).
How is this law different from data protection law in the United States?
As you probably already know, because we never tire of talking about it, any company that collects data from citizens of the European Union must comply with the provisions of the General Data Protection Regulation, which entered into force on May 25, 2018 .
Before the arrival of the GDPR, the transfer of data between the United States and the European Union was regulated by a treaty known as the Privacy Shield, which offered companies a way to self-certify annually to ensure compliance with a series of regulations. of data protection.
Today, however, Privacy Shield has been left in the background due to the obligation to comply with the GDPR. Although it is reviewed annually and has undergone multiple modifications in recent times to adapt to the standards of European regulations, self-certification continues to generate doubts due to its few legal guarantees for practical purposes. Today, Privacy Shield has remained as an extra to provide greater reliability to its customers.