Updated: Apr 25
The General Data Protection Regulation or ‘GDPR’ took effect in May 0f 2018. This new, stringent data regulation introduced personal data protection rights as a compliance priority for companies in EU. It also impacts organizations all over the world that deal with the personal data of EU residents. The GDPR requires companies to safeguard the personal data of EU citizens. Failure to comply with GDPR rules can result in significant penalties and could have a significant negative impact on your corporate brand.
Understanding the GDPR and Data Regulation
The GDPR is designed to give residents of the EU more control regarding how businesses can use their personal data. In fact, it gives EU residents the right to decide how their personal data is being used and to know how it is being managed. The GDPR provides individuals with the right to restrict further processing of their personal data and to request that all their data be deleted. This is known as the ‘right to be forgotten’.
The GDPR includes essential items, such as increased fines, breach notifications, a requirement for opt-in permission, and accountability for data transfer outside the EU. Given this, GDPR’s impact on corporate practices is enormous and permanently alters the way customer data is collected, used, and managed.
The types of data the GDPR seeks to protect include:
Name, address and ID numbers, and other basic identity information
Web data such as location, IP address, and cookie data
Health and wellness data
Racial/ ethnic data
Which Companies are Impacted by the GDPR?
The GDPR has a global reach in that it applies to any company that stores or processes personal information about EU citizens, even if the company does not have a business presence within the EU.
The criteria for companies required to comply with the GDPR are as follows:
Operations in an EU country.
No operations in the EU, but it handles personal data of EU residents.
Greater than 250 employees.
Fewer than 250 employees but its data-processing impacts data subjects
The Impact of GDPR on Corporate Practices
The GDPR outlines the primary responsibilities and processes that help assure data protection within data processing entities. These responsibilities are defined as follows:
Offering Individuals the “right to be forgotten”
When an EU resident no longer wants their data to be processed, the data will be deleted. If, however, there is any existing contract or obligation to retain the data, it will be preserved until the contractual obligation is finished.
Providing Individuals with Easier Access to their Data
The right of data portability will simplify the process for EU residents to transmit personal data between service providers. In addition, individuals can access more information regarding how their data is processed.
The Right to be Informed of a Data Breach
Organizations are required to notify the national supervisory authority of data breaches if the breach puts individual data at risk. This notification must be communicated as soon as possible to allow residents to take appropriate actions.
Data Protection by Design and by Default
‘Data protection by design’ and ‘Data protection by default’ represent essential elements in EU data protection rules. Data protection measures must incorporated into products and services from the initial development stages.
The GDPR Workforce Training Requirement
Articles 37 and 43 of the GDPR call for businesses to “raise awareness and training for staff involved in the processing operations”. And while the GDPR makes no explicit obligation to train employees in data protection, breaches of data protection resulting from the absence of such training lead to significant penalties. To help protect your organization and to help safeguard data, a basic awareness of "personal data", "processing" and "rights and freedoms of natural persons" should be conveyed to employees. To be effective, employee training must include the most important basic principles of data protection law, such as transparency and information obligations.
eLearning for GDPR Employee Training
In recent years, as online technologies have continued to evolve, eLearning has emerged as a cornerstone for all types of employee learning endeavors, including GDPR training. eLearning offers a level of cost-effectiveness, convenience, and flexibility that cannot be achieved through classroom-based training.