We live in an increasingly data-driven world, where companies leverage our personal information on a regular basis and often without notifying us or obtaining our consent.
It’s no secret that tech giants like Amazon, Google, Twitter and Facebook offer their services for free in exchange for people’s personal information. Therefore, one of the main factors behind the introduction of General Data Protection Regulation (GDPR), is the desire of the European Union (EU) to bring data protection law in line with how people’s data is being used.
The dangers of giving perpetual rights to your data, sometimes without even knowing it, can be illustrated by the scandal that recently erupted around Cambridge Analytica. Allegedly, data from 50 million Facebook users was illegally harvested to impact the US presidential election in 2016.
General Data Protection Regulation is coming
What does GDPR stand for? After years of efforts and negotiations, the EU Parliament finally drafted and approved a new law called ‘General Data Protection Regulation’ in April of 2016. This regulation was designed to control all data privacy laws throughout Europe, protect all EU citizens from data breaches and radically alter the way organizations deal with data privacy. GDPR will take effect as early as May 25th of this year.
What changes to expect under GDPR
The GDPR is considered to be the most significant change in data privacy regulation in the last few decades. It extends its jurisdiction to all companies processing the personal data of EU residents, regardless of the company’s presence in or beyond the borders of the EU. Effectively, the law is going to affect thousands of companies around the world, including, but not limited to, those in the USA.
In cases when companies fail to provide adequate security of personal data, they could be heavily fined under the GDPR regulations. Noncompliance can result in fines of up to $24.5 million or 4% of the global annual turnover of the company for the previous financial year, whichever is higher. Essentially, if your company controls or processes the personal data of EU residents, you have to comply.
‘Consent’ of the data subject, as it is defined in the law, means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her (Article 4(11)). GDPR will keep almost all requirements for consent unchangeable, nonetheless, certain new conditions are going to apply:
- The principle that “consent is a processing condition” is retained.
- Under GDPR, consent requires explicit permission of the data subject.
- Parental consent is required as well in cases where information society services are offered to children.
- Pre-GDPR consents remain valid under GDPR provided they comply to the GDPR requirements for consent.
- In cases of noncompliance, organizations will be exposed to heavy fines.
Which companies will be affected by GDPR?
As it was aforementioned, GDPR not only applies to firms located in the EU, but also to all non-EU organizations processing and holding the personal data of EU residents. So, the specific criteria for a company required to comply include:
- Location within the EU.
- No presence in the EU, but it processes personal data of EU citizens.
- Over 250 employees.
- Less than 250 employees, but the company’s data processing somehow impacts the rights and freedoms of data subjects or includes certain types of confidential personal data.
US companies are ready to invest in GDPR
According to a PwC survey, 92 percent of US companies have a positive attitude towards GDPR and set data protection as their highest priority. Previously, investing a budget of $1 million in data privacy has been more of a choice rather than a rule for many US corporations. The GDPR potential 4% fine of annual turnover has changed the budget appetites for omitting this GDPR risk. And now 77% of companies plan to spend between $1 million and $10 million on GDPR.
GDPR provides 8 fundamental user rights
GDPR comes into force in May of 2018 and states that data of EU citizens can only be used if they give a company a clear affirmation. There are eight main rights that will drastically change the way that personal data is collected, stored and used:
- The right to data erasure or ‘the right to be forgotten’ allows users to have their data removed anytime without a specific reason.
- The right to be informed expects that all organizations will be completely transparent about how they use personal data like work email or work mobile.
- The right of access empowers users to know exactly what information is stored and how it is processed.
- The right of rectification means that users can correct or complete personal data if it is inaccurate or incomplete.
- The right to restrict processing – this gives users the right to restrain processing of their personal data.
- The right to data portability allows users to retain, reuse and transmit their personal data for their own purposes.
- The right to object to using personal data, for example, for the aims of direct marketing, scientific or historical surveys.
- GDPR states that users have the right to not be subjected to automated decision-making. These are decisions made without any human involvement and may have legal effects concerning users.
How PDFFiller handles users’ personal data
The information customers give us – username, email address, fax number, names of the files, and browser information – may only be used to provide services available at PDFfiller. We do not have access to and do not store our customers’ payment details, credit card or PayPal numbers.
We retain the user’s information for as long as their accounts are active or as needed to provide services. Once the subscription expires, customer’s files will be deleted automatically within 30 days. The user may delete his or her account at any time by visiting My Account.
Try out PDFfiller and keep your documents confidential with advanced security options, like HIPAA security standards, two-factor authentication and audit trail.