In the past few days, most people will have been receiving personal or professional emails to inform them that a database is being updated. This is because Friday 25 May is the date the new General Data Protection Regulation comes into force to comply with EU rules. It applies to small firms who keep details of their clients as well as large ones and it coincides with the scandal over the way Facebook has used people's data. That is a perfect example to explain why the new law is needed, says the European Commissioner for Justice and Consumers, Vera Jourova.
What is the GDPR? In Spain it is known as the Reglamento General de Protección de Datos (RGPD); it is a new European regulation for the protection of personal data. It is the first time this has existed at a European level; until now, every country has had its own legislation. The GDPR unifies the criteria regarding what is considered personal data and how it should be protected. It took several years to draw up the regulation and it was approved on 25 May 2016, but they gave us two years so that companies could adapt to the new legal framework.
Who does it affect? Every company that keeps, processes, works with and holds data of a personal nature of any citizen of the European Union, no matter which country it operates in. In other words, even if a company is based in the USA and has no physical presence in Europe but offers its products and services here, it has to comply with these regulations.
Penalties. Companies which do not comply with this law will face fines and penalties. There is a wide range of these, and it is one of the most controversial points in the text. The highest fines could be 20 million euros or four per cent of the company's worldwide turnover (whichever is greatest).
Citizens. The new regulation gives citizens more rights. They can ask for incorrect, inexact or incomplete information to be corrected, or removed when no longer necessary or if the processing is illegal (the 'right to be forgotten'); they can object to their personal data being processed for marketing purposes or for reasons related with their own private situation, or ask for the processing of their personal data to be restricted in certain circumstances. EU citizens can also receive their data in a machine-readable format so they can send it to someone else who is responsible for data processing ('portability of data'). Also, they can now ask that decisions based on automated processing be taken by actual people, and they also have the right to express their point of view and reject the said decision.
More clarity. The new regulation also obliges companies to give information more clearly and simply about the way they use and process personal data, especially when the information is addressed to minors. This is a way of trying to put an end to lengthy conditions of use in very legal language when referring to the processing of information.
Explicit consent. One of the most important changes in the regulation is that consent has to be freely given, informed, specific and unequivocal so that companies have authorisation to hold and process the data. Consent cannot be assumed from silence or inaction by the citizens. When the companies request authorisation to process this information, they have to specify what they will be using the personal data for and provide contact details of the company which processes it. The consent has to be freely given and be a specific, informed and unequivocal statement.
This informed consent has to include, as a minimum, the following information: the identity of the organisation which processes the data, the purposes, the type of data and the possibility of withdrawing consent. If the consent is related to an international transfer of data, the citizen must be made aware of the possible risks of transferring it to countries outside the EU, in the case where there has been no relevant decision by the Commission or they do not provide suitable guarantees.
Personal data. One of the most important points of the new regulation is its definition of personal data. It is defined as any information relating to an identified or identifiable physical person. The different pieces of information, which when collated could reveal an individual's identity, are also considered personal data. Personal details which have been made anonymous (in other words they cannot be directly associated with anybody), coded or presented under a pseudonym, but which can be used to identify someone, are still personal data and included in the sphere of application of the GDPR.
On the other hand, personal details which have been made anonymous, so that the person cannot be identified or is no longer identified, will no longer be considered personal data. For the data to be considered truly anonymous, the anonymity has to be irreversible.
Also, the European Commission makes it clear what personal data is considered to be and what parts it consists of: name and surnames, address, email address (the type which says email@example.com, not firstname.lastname@example.org), national identity number, location details (such as the location function data on a mobile phone), Internet IP address, the identifier of a 'cookie' or the data held by a hospital.