The General Data Protection Regulation came into effect this week in all European Union m Member States countries. The focus of this new legislation is to protect the right of all European Union citizens. While it is essentially an EU document, GDPR has far-reaching effects globally.
While the protection of American citizens is not part of GDPR legislation, there are instances in which American citizens’ personal data is protected under GDPR.
GDPR will, in essence, become a global document affecting how personal data is collected, processed, used, stored and erased.
As American companies have employees and trading partners that are located within the EU, most businesses will be forced to comply with GDPR guidelines or face stiff penalties. Since it makes sense and avoids perceived discrimination if the personal data of all employees and trading partners are handled the same way, US citizens will most likely have their personal data files treated the same way by American companies as those of EU citizens are handled.
Moreover, Americans living in EU countries will fall within the remit of GDPR there when it comes to their rights regarding GDPR compliance.
What does this mean? According to GDPR, EU citizens and Americans living in an EU country have the following rights:
- The right to be informed: Data subjects must be informed in clear, easy-to-understand language what data is being collected, why it is being requested, how it will be used and what rights they have regarding their personal data.
- The right of access: EU citizens and those living in EU countries when their data is collected have the right to look at their personal data file.
- The right to rectification: EU citizens and those living in EU countries when their data is collected have the right to correct, edit, amend, add to or erase any items in their personal data file that are incorrect or incomplete.
- The right to erasure: EU citizens and those living in EU countries when their data is collected have the right to request that items or the entire file be erased. They must state a valid reason to the company’s Data Controller. The Controller may deny this request with valid reason but the data subject must be told how he can petition this denial.
- The right to restrict processing: EU citizens and those living in EU countries when their data is collected have the right to request how their personal data file may be used.
- The right to data portability: EU citizens and those living in EU countries when their data is collected have the right to request that their personal data file be transported electronically to another company.
- The right to object: EU citizens and those living in EU countries when their data is collected have the right to object to the way in which the information in their personal data file is being used, stored, collected and/or deleted.
- Rights in relation to automated decision making and profiling: EU citizens and those living in EU countries when their data is collected have the right object to how data is collected electronically.
Businesses that fall under GDPR guidelines must be ready and able to tell data subjects what data is collected, how it will be used, stored, processed and/or erased. Companies must get written consent for collecting and processing personal data.
Enterprises must have in place security measures that guarantee personal data are collected, stored and used effectively.
If breaches occur every company must have in place a process and personnel to assured the safety of data and a process for dealing with breaches, reporting them to GDPR authorities and to the data subjects themselves.