Date: April 23, 2018
GDPR stands for General Data Protection Regulation, new data privacy laws in the European Union that will take effect 25 May 2018. This regulation has major effects on how businesses process data and ensure privacy, with hefty financial consequences.
Nayax is committed to data privacy and we’ve put together a guide to understanding the new piece of legislation.
Who Does This Law Apply To?
Although the law refers to the rights of EU citizens, it applies to any business that has EU citizens as data subjects or any business that processes the personal data of EU citizens.
Furthermore, the law applies to data controllers and any third-party data subcontractors they engage, who will be equally liable for any data violations.
Why Is The EU Introducing GDPR?
The EU’s thinking is that the digital economy can only grow with consumer trust. It believes the best way to foster trust is through transparency, which will help private citizens understand how their data is used.
The rights granted give back citizens control of their personal data. These rights are also meant to encourage businesses to use their consumers’ personal data respectfully, emphasizing security and privacy above the companies’ own bottom line.
Financial Penalties
What gives this law weight is the increased monetary fines for violating the GDPR regulations. For the most severe infringements, businesses can be fined 4% of their global annual turnover or €20 million (whichever fine is larger).
Personal Data
Any person that is identified or can be identifiable because of data, is protected under this law. Personal data can include an email address, IP addresses or any other metadata collected.
The GDPR will force organizations to identify all the personal data they may hold. It also requires businesses to keep internal records of how they are complying with the new legislation, in the case that they get audited by the EU.
Data Access
The GDPR gives EU citizens the right to enquire and change their minds. They will have the right to access their data from a data controller, enquiring what data is being processed and for what purpose. Furthermore, they have the right to be “forgotten” and for data portability – that is they can ask that their personal data be deleted or transferred to another data controller.
Privacy By Design
Two other important ideas raised by GDPR are privacy by design and data minimization. Data protection should be kept in mind when designing a new system or starting a company. Additionally, the law requires that data only be minimally processed, restricting the holding and processing of data to a limited audience with the purpose of completing a job.
Consent
With GDPR, consent will no longer be a once-off agreement, but an ongoing activity, with the onus for communicating on the business. If any changes occur to a privacy policy or the terms and conditions, the business is responsible for informing their users what the changes are. Terms and conditions will also need to be written in clear language that doesn’t obscure intent.
Nayax has undergone a data protection impact assessment (DPIA) to comply with the GDPR legislation. At present we are engaged in modifying and updating our business activities, products and internal processes to be fully GDPR compliant by May 25th.
In the next few weeks Nayax will upload a new privacy policy and set of terms and conditions to demonstrate how we are committed to ensuring our users’ data protection and privacy. We encourage you to read them and to learn about your rights. We are happy to answer any questions you have about the matter.