GDPR – General Data Protection Regulation – is an initiative proposed by the EU in 2012 to replace the 1995 Data Protection Directive, that came into effect on 25 May 2018. These new regulations reflect the need for protection in respect of the personal data of the EU individuals, against the background of skyrocketing growth of the digital technology consumption.

The events such as the 2015 viral campaigns or, more recently, the scandals involving Facebook have created an opinion trend in favor of this kind of regulations.  

How can Romanian companies get in line with these new GDPR regulations? Firstly, it is important to understand clearly what these new laws involve, as they will affect not only the businesses in the European Union, but also the ones outside it.

Brief Description

In order to facilitate a detailed explanation of these provisions, we’ll refer to terms such as:

• Personal Data – include, without limitation, confidential and personal information, such as first names/last names, physical or email addresses, identification documents, payment means, localization data, political opinions, religious or philosophical beliefs or data related to the physical looks of a person.
• Data Processing – includes, without limitation, collection, storage, consulting, changing, using or sending, as well as deletion and destruction of the personal data mentioned above.
• Data Encryption – Represents the process of securing the sending of confidential information between institutions or companies and citizens, using advanced encryption technologies (mathematical algorithms).

The GDPR initiative is meant to offer increased transparency and security in the process of data processing and encryption for the EU citizens in the online environment. The regulations require the companies that provide services to individuals in the European Union to inform the consumers in respect of the personal data processing methods and the purpose for which such data will be used. At the same time, this initiative brings about value and credibility to a brand, considering the extent to which the present day consumer appreciates the confidentiality of its actions in the online environment.

Very many big companies, even some startups, had complied with these regulations long before they became effective. Nowadays, however, the EU will make sure that all the companies will implement, in a transparent manner and in full, these provisions, which will improve the relations between consumers and suppliers.

We all know Apple’s Safari 10, the new version of web navigator, was a big success in 2017. It offers the possibility of blocking the unwanted personal data monitoring and also other facilities as the automatic starting of the video content on the page, which may be classified as aggressive marketing.

The New Provisions and Their Importance

The new provisions should not alarm any operator (private legal entity), as they have been prepared not only to the benefit of the users, but to the benefit of companies or other organizations. The provisions have been developed based on Directive 95/46/EC, which was abrogated once the new GDPR has come into effect.

It’s true that these provisions will substantially affect the marketing and operational strategies of all. Following is a summary of the provisions:

• Any entity that processes the consumer data in the EU, including third parties, may be liable to prosecution if these provisions are infringed.
• When an individual does not want their data to be processed by an operator (company/institute), the information must be destroyed, on condition that there are no reasonable grounds to keep it.
• If they process on a wide scale confidential information for a big number of consumers, the operators are obligated to designate an expert in personal data management (small and medium size companies are exempted from these provisions if the data processing is not an essential part of the their business).
• The operators are obligated to report to the national supervisory authorities any serious violation of these new regulations immediately.
• Parental consent is necessary for the children under a certain age to be able to use social networks (the age criterion varies from 13 to 16 years, according to the specific laws of each country).
• Individuals are entitled to the portability of their data, which allows for the easy and convenient transfer of their personal information when they change services between suppliers.

Of course, the law provides for more than just that and any company dealing with businesses in the tech-online class should seek for the advice of a specialized law firm. To many companies that have already developed online marketing strategies in keeping with the old regulations, the new law does not necessarily bring about major unforeseen aspects.

You can find some considerations on the impact GDPR will have on Romanian companies here.