General Data Protection Regulation (GDPR) represents a new legal framework governing the way in which it will be collected, use and store personal data of citizens in EU. GDPR started to apply on May 25, 2018. GDPR refers to all those organisations that process data of citizens. Also, the regulation applies to those companies that for the purposes of their work collect data on citizens or offer goods or services to persons.
The basic items on which the General Data Protection Regulation of personal data is based (detailed in the official GDPR portal), and the owners of websites or developers may be interested in the following:
■ Wide territorial applicability. This means that GDPR relates not only to companies and businesses that operate but also to those who “process personal data” of citizens.
■ Consent. Every person whose data are collected must agree to the collection of data. This does not apply only to data collected through forms, but also to data collected in the background, such as IP address if this information is provided used for identification of persons.
■ The right of access. Every individual has the right to access their data, as well as information on how the data were collected.
■ The right to delete data. Any person will have the right to request the deletion of data from the database and the ability to request that his data will not be distributed further.
The penalties prescribed for non-compliance with the provisions of the GDPR goes up to 20 million euros or 4 per cent of the total annual turnover.
It is important to note that today there is no website that does not collect information about its users (********s, Google Analytics, Facebook, etc.), so this topic is important for many companies around the world. The reasons for collecting data can vary, starting with improving online sales, improving user experience, company business, linking to social networks, and many others.
We also distinguish two types of data that are collected: personal data (name, surname, phone number, the address of residence, email, etc.) and data on the use of website, which are sets of simple files to be stored in the user’s web browser and indicating its interactions with the site. By accepting the policy of using a particular website visitor gives consent to collect this type of data.
Two essential things in terms of GDPR have “scared” firms around the world are: the first refers to the huge fines imposed in the case of non-compliance with this regulation, and the second is the way in which the privacy policy with GDPR should be harmonised, that is, fulfil all the conditions prescribed by the regulation.
The scandal in which Cambridge consulting firm Irregularly obtained information about 87 million people from Facebook, led to the fact that the owner of the most famous social network Facebook, Mark Zuckerberg first had to apologise, respond to the US Congress, and then to apologise to the deputies in the European Parliament.
If a user makes a request for deletion of personal data, an organisation that has received such a request must completely delete personal information without delay and must notify the user about the procedures without delay. Apart from the organisation, criminal responsibility shall be borne by the person responsible for the security of personal data within the organisation.
GDPR will provide additional support to the Personal Data Protection Authorities in defining sanctions for serious violations of the law. Fewer fines are up to 10 million or in the case of the undertaking of up to 2 per cent of the total annual sales at the global level for the previous fiscal year.
For a serious violation of the regulation, a fine of up to 20 million euros has been foreseen, or up to 4 per cent of the total annual turnover for the previous financial year.
Facebook could potentially face $1.63bn fine under GDPR for the latest data breach which impacted roughly 50 million accounts. The security incident was caused by a vulnerability in Facebook’s code which permitted attackers to steal access tokens.
Access tokens are used to keep Facebook users logged in when they switch over to a public profile view via the “View As” feature.
The breach was detected on September 25. The vulnerability, comprising of three separate bugs, has been resolved and the access tokens of affected users have been reset, alongside an additional 40 million users that were subject to a “View As” lookup over the past 12 months.
It took mere hours before class-action lawsuits were filed against Facebook for failing to protect user data. It seems that it took only a little longer for regulators to become involved.
The data breach is not the only headache Facebook recently had to cope with. The company has also faced criticism over its use of phone numbers given by users in the interest of security for targeted advertising.
Oman Observer is now on the WhatsApp channel. Click here
