The EU regulator has set out to protect the personal data of its residents within the EU as well as globally wherever the data might be transferred to or stored.
The chatbot, named Parker, helps companies in non-EU jurisdictions (including SA) to determine whether GDPR applies to their business, says Norton Rose Fulbright. A major difference is that a business will risk paying fines of up to 4% of annual global turnover, or €20 million.
Realistically, this is also likely to be one of the areas where distributed ledger technologies (blockchain and its ilk) really come into play, likely even more so than ICOs (which are primarily pure speculation plays).
In addition, the media will generally be able to claim an exemption if the personal data they are handling is held "with a view" to publication, if they believe that publication would be in the public interest and if complying would be incompatible with journalism. As well as name, address, and date of birth, it also includes IP addresses, location data, and cookie identifiers as well as generic data.
The GDPR specifies lawful bases for processing Personal Data, including consent by the data subject or a determination that the data is necessary for performance of a contract or fulfillment of a legal obligation.
In contrast to USA privacy laws that tend to cover specific kinds of personal data (e.g., healthcare, financial) the GDPR covers all personal information relating to an identified or identifiable individual.
Member countries must accept a larger role for their data protection authorities who will be central to guaranteeing the rules are applied. The answer becomes trickier for companies that are based strictly in the United States.
"However", Baines explains, "one of the key principles under GDPR is that personal data should be treated fairly and that revolves around what people's reasonable expectations are". Facebook was criticised for carrying out "massive combinations of personal data of Internet users for purposes of targeted advertising", to which they "have not consented and can not oppose". The healthcare providers and insurers that are "covered entities" under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) constitute the controllers of health data in this regard. The aim of the GDPR is to give more protection to an individual's data in the digital age.
This includes solid cybersecurity, staff training, and contingency plans on how to respond to an information leak or a personal data breach if it occurs, to minimise the damage.
The platform has always had a lower data retention period than Facebook, never holding on to information for more than two years. Consent can be granted for the use of data for a specific objective and then revoked, only to be granted again for another goal. Post-discharge patient engagement also requires that patient health data collection and processing be subject to the GDPR for European Union residents who received medical care outside the EU. Both are essential to learning about its potential risks-and how it must comply with the new regulation. "Combining your compliance programmes will save you time, effort and money", says Crawford.
Conduct a comprehensive data audit to understand data source, collection and processing. Rigorous requirements for consent to retain and use Personal Data apply, which essentially reject consent by omission or inaction-consent by silence, pre-filled boxes, or inactivity will not constitute consent.
"For South African organisations, if the GDPR applies to you, consider how you can combine your GDPR and Protection of Personal Information Act compliance programmes, as numerous requirements are similar (although there are some differences)".
In the event a medical tourism agent shares personal data with a vendor such as a hotel, the vendor must provide a Data Processing Agreement (DPA) with the supplier confirming the vendor's compliance to the GDPR and dictating the purposes for which such data is to be processed.