Bulletin 1: Overview of the EU-GDPR and other Data Privacy Regulations

IEEE Technical Activities Bulletin #1

Topic: Overview of the EU-GDPR and other Data Privacy Regulations

Bulletin Type: Informational

Audience: All

Version 2 - July 2021

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

What is GDPR?

The General Data Protection Regulation (GDPR) is a regulation by European Union (EU) authorities to strengthen and unify data protection for EU citizens and individuals within the European Union (EU). The primary aim of GDPR is to give EU citizens and residents control over their personal data. GDPR went into effect on 25 May 2018. It was one of the first comprehensive regulations introduced to have global impact. Since that time, additional bodies have implemented their own versions of data privacy regulations and share common characteristics with the EU-GDPR. 

What do I need to know about GDPR and other data privacy regulations?

Data privacy regulations, including GDPR, are designed to protect the personal data of individuals. Examples may include name, email address, personal address, photographs and other digital identifiers (e.g. IP address). IEEE is an international organization that, in some cases, collects, stores, and processes personal data of EU citizens. As a result, IEEE may be subject to GDPR regulations. Some of the core tenants of GDPR are: 

  • Consent: Use of personal data may now require consent from individuals prior to processing.
  • Right to Access/Data Portability: If requested, IEEE’s Data Protection Officer (DPO) must provide individuals who request a copy of their personal data in a commonly used and machine readable electronic format.
  • Right to be Forgotten: Individuals may require IEEE to erase their personal information from databases, unless there are legal requirements where IEEE must retain this information or other exceptions exist.
  • Breach Notification: Data breaches must be reported to regulatory authorities within 72 hours of first becoming aware of the breach.
  • Privacy and Data Considerations: Systems must be designed with privacy in mind from the outset.

As a standard practice, organizations should only collect and process the data necessary for the completion of their duties and limit access to only those needing this information. 

Many of the core tenants of GDPR are seen in other data privacy regulations that have been passed since 2018.

What does “Consent” mean under GDPR?

One of the fundamental changes introduced by GDPR is the need for organizations to obtain consent from individuals prior to processing personal data in certain situations. Elements of consent include:

  • Opt-in: Consent must be opt-in; implied consent or pre-checked consent is no longer viable.
  • Unambiguous: Consent to use personal data must be “freely given, specific, informed, and unambiguous”.
  • Clarity: Consent must be made in an intelligible and easily accessible form where legalese terms and conditions are not acceptable.
  • Sharing: If personal data will be shared with third parties it must be disclosed to the individual in order to gain effective consent.
  • Withdrawn: Consent must be as easy to withdraw as it is to give.

What happens if there is a violation?

As a global enterprise, IEEE has taken GDPR very seriously. In the event of a violation, the regulation permits significant fines and penalties.

  • Fines: May be up to 4% of annual global turnover or €20 Million, whichever is higher.
  • Penalties: Regulatory agencies may also be permitted to enforce other penalties such as deletion of personal data and placing limitations on interactions with citizens of EU member states.
  • IEEE Reputation: Loss of IEEE reputation as a fair and ethical marketer. As a leading proponent of technology ethics, policy and standards, IEEE wants to maintain its high quality, leadership position.

If you believe that a data incident (e.g. a compromise of a computer network containing IEEE personal data, loss of a device containing IEEE personal data) may have occurred, please contact privacy@ieee.org.

How can I learn more?

The latest information on GDPR and other data privacy regulations can be found on the Technical Activities Data Privacy Resource Page or the IEEE Data Privacy page.

Please forward this email to your IEEE colleagues who handle personal data, newsletter/email distributions, websites, or other activities that fall under GDPR.

If you have questions or need assistance, please contact TA Answer Central.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

[Download PDF]