General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679 entered into force on May 25, 2017, being generally binding for all companies operating across the European Union. Any legal entity of any size falls under the new GDPR regulation. As is also apparent from the name of the regulations the main aspect to be considered is the protection of personal data, including: name, address, email address, phone number, date of birth, IP address, political views , religious views, etc.
The fundamental principle of the regulation is transparency. All personal data processor must adopt the appropriate protection of such data. Another important principle is the express agreement by the person whose personal data is being processed, thus avoiding unsolicited commercial communications.
Fines for non-compliance with GDPR may reach up to 20 million euros or up to 4% of the global annual turnover of the previous Financial exercise, (the highest value)
The vast majority of websites collect personal data directly by registering / authenticating customer accounts, personalized product listings, contact forms, etc. or indirectly through cookies for statistics or analysis. In the latter case, site owners often ignore the fact that these statistics collect personal data. The most common example is Google Analytics, which collects many personal data like: location, address, age, gender, etc. Analysis systems can be set to anonymize personal data.
The GDPR Regulation will require all companies to implement technical and organizational measures to ensure that GDPR requirements are met - "confidentiality by design" and "confidentiality by default". Companies must take into account data protection requirements from the incipient phase of any new technology, product or service that involves the processing of personal data (deliberately) and the application of appropriate data processing measures (confidentiality by default). GDPR calls for a number of measures that can help companies achieve these goals noting: the minimization of personal data processing, data encryption or anonymization, transparency in their functions and processing, allowing subjects to monitor how data is managed. These measures must be up to date.
The regulation requires organizations of all sizes to adopt a new set of processes and policies designed to give individuals greater control over their personal data records. Much of this provision will involve writing new processes and manuals, training staff and updating systems to adapt to these new procedures. Other steps involve practical steps, such as the use of encryption if data is exposed to any risk. A lost or stolen laptop or USB stick should not lead to a penalty if it has been encrypted with a validated product. One of the key principles of GDPR, as provided in Article 5, is to ensure the proper security of personal data. and, as mentioned in Article 32 - called Security of Processing - encryption is a suitable technical measure to achieve this. If encryption is used as a technical measure, it must provide the possibility of restoring data immediately after an incident, and the records must be kept to show that the systems are safe and recoverable. Also, the GDPR Regulation requires enterprises to notify the competent authority (and the data subjects, under certain conditions) of all data breaches, without undue delay, within 72 hours, unless it is unlikely that the data breach leads to a risk for individually targeted persons.