GDPR is compulsory for any company or organisation – based in Europe or not – that will sell products, services, or export data related to European individuals, will be obliged to adhere to the GDPR.
Basic principles should be applied by companies and their employees. For every data treatment, those actors are responsible for the information they use. Before GDPR, they needed to make a statement and explain the purpose. GDPR does not make it compulsory anymore. However, companies are obliged to prove they took the necessary measures to document their usage of personal information. It is also compulsory to prove that it was done in the respect for the rules of the art.
Basic principles of GDPR : documentation and awareness of existing activities
Companies and organisations have an obligation of means in terms of information documentation but not an obligation of result.
1. The rights of persons
The impact on files handlers will be important as they will need to document how and why they use the citizen’s information they manage. For example, the right of access or the right of correction to personal information will be adapted. Actually, when a citizen asks for it, it will be compulsory for file handlers to provide a reply within 30 from the date of the request.
2. The increased penalties
Compared to the previous regulation, the penalties will increase with GDPR : 4% of global turnover or 20 million € for any company which is not GDPR compliant on May 25th 2018.
GDPR applies worldwide. For example, a Colombian company that manages data of European citizens is subject to it.