General Data Protection Regulation

The GDPR ( General Data Protection Regulation ) happens to be a regulation in force throughout the European Union and which aims to strengthen the protection of personal data . It directly replaces the directive on the protection of personal data adopted in 1995. As such, it concerns both individuals and professionals.

The GDPR applies to all data relating to natural persons, such as social security number, bank data or any other information allowing the identification of an individual. It is a regulation “compulsory in all its elements and directly applicable in all member states”.

Companies affected by the GDPR

The General Data Protection Regulation concerns all European companies collecting and storing private data for the purpose of commercial use (foreign companies working in partnership with European companies also subject to this regulation).

Thus, the text requires the implementation of technical and administrative security measures vis-à-vis personal data . These protections must correspond to the degree of potential risk run by the company. In addition, each concerned is under the obligation to notify any fault or intrusion within 72 hours of its discovery.

What is the General Data Protection Regulation?

The GDPR , in force since May 25, 2018, directly replaces Directive 95/46 EC on data protection . It thus exposes companies that do not comply with the rules to have to pay a heavy almond in the event of theft of personal data . Indeed, it allows not only to harmonize privacy laws across Europe, but also to offer effective and lasting protection for customers and partners of professional organizations. The main objective of this new regulation is to “give back to citizens control of their personal data, while simplifying the regulatory environment for businesses”.

More generally, the GDPR makes it possible to reorganize the way in which the various professional sectors manage personal data within a company.

Characteristics of the General Data Protection Regulation

From now on, all the rules relating to data protection are grouped under a single set. This thus helps to mitigate the fragmentation of national laws. Characteristics of the GDPR :  

• An extraterritorial application: the GDPR applies to all companies processing personal data of people residing in the European Union, regardless of the location of the registered office of that company (which was not the case before).

• Positive consent: the General Data Protection Regulations also aim to strengthen the obtaining of consent. Indeed, it is no longer possible for companies today to mislead customers via illegible conditions and drowned in incomprehensible legal jargon (it is no longer allowed, on a website for example, to pre -check the box “I agree to receive the newsletter”). This is information that must be easily accessible. Obviously, all persons concerned reserve the right to ask the controller for the purpose and nature of the use of the information.

• Right to erasure: any data subject has the right to request the erasure of personal data held, and this, to the controller. The General Data Protection Regulations also introduce data portability: everyone concerned is entitled to receive personal information concerning them and held by a company. In this sense, the GDPR encourages managers to keep only the data necessary for the performance of tasks. We are talking about data minimization here.

Sanctions in the event of non-compliance with the General Data Protection Regulations

The GDPR imposes more severe sanctions : companies finding themselves in direct violation of the standards imposed by the GDPR are exposed to an almond of up to 4% of annual global turnover, or 20 million euros ( maximum penalty for the most serious offenses). In the event of intrusion or breach of the security of personal data, the company must notify it within 72 hours.

In the event of non-compliance with the GDPR , several sanctions may be applied against companies. Indeed, the sanctions involved are said to be “gradual”, since they directly depend on the severity of the events. Thus, it can range from a simple warning (or a formal notice) to criminal administrative sanctions. Obviously, and because of their particularly large amounts, these sanctions have above all a dissuasive purpose.

Furthermore, it is important to remember that non-compliance with the GDPR can directly impact the image and reputation of the company at fault.

Even if, globally, the GDPR can be perceived as a loss of competitiveness of European companies (there is no similar regulation in the United States), it remains mandatory and particularly important to respect.