General Data Protection Regulation (GDPR) is proposed by the European Parliament and Council to secure data and privacy of the citizens of European Union. It addresses the export of personal data outside the EU. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
The General Data Protection Regulation (GDPR) standardizes data protection law across all 28 EU countries and imposes strict new rules on controlling and processing personally identifiable information (PII). It also extends the protection of personal data and data protection rights by giving control back to EU residents. GDPR replaces the 1995 EU Data Protection Directive, and goes into force on May 25, 2018. It also supersedes the 1998 UK Data Protection Act.
This regulation GDPR applies to all organizations holding and processing EU resident’s personal data, regardless of geographic location. Many organisations outside the EU are unaware that the EU GDPR regulation applies to them as well. If an organization offers goods or services to, or monitors the behavior of EU residents, it must meet GDPR compliance requirements.
The aim of giving citizens more control over their information, GDPR ensures citizens can ask to access their data at “reasonable intervals”, with controllers having a month to comply with these requests. Both controllers and processors must make clear how they collect citizens’ information, what purposes they use it for, and the ways in which they process the data. The legislation also says that firms must use plain language to convey these things clearly and coherently to citizens: it’s time to wave goodbye to those confusing, dense terms and conditions.
Citizens have the right to access any information a company holds on them, and the right to know why that data is being processed, how long it’s stored for, and who gets to see it. Where possible, data controllers should provide secure, direct access for citizens to review what information a controller stores about them.
If a business suffers a data breach in the form of a loss, alteration of data, or unlawful access to personal information, such a breach needs to be reported to a Data Protection Authority within 72 hours of your organization becoming aware of it. If the breach results in discrimination, fraud or identity theft, financial loss, damage to reputation, loss of confidentiality of personal data, then the breach will need to be reported to the citizen as well.
Breaches can result in a fine of € 10M or 2% of a company’s annual revenue, whichever is greater. More serious breaches could result in a fine € 20M or 4% of a company’s annual revenue, whichever is greater. Apart from this, the Data Protection Authority can impose a complete ban on data processing operations by an organization.
One can also check similar article on Digital Information Security in Healthcare Act proposed by Indian government here.