The European Union’s General Data Protection Regulation (GDPR) goes into force on 25 May 2018 and for companies and organisations that handle data relating to EU residents, this means you have some work to do over the coming months!
The GDPR is a new Regulation and Directive by the European Commission that protects EU data subjects’ fundamental right to privacy and the protection of personal data. It applies to any company doing business with customers in Europe and noncompliance can cost up to EUR 20 million in fines, or 4% of said company’s total global revenue, whichever is higher.
In other words, if you have customers in Europe, becoming compliant with the new GDPR should be very high up on your agenda! Here’s what it means to your organisation…
The “personal data” definition has expanded to include any information relating to a person who can be identified, directly or indirectly, in particular by reference to an identifier such as: name, identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
When requesting this data, companies have to use plain language, clearly identify who they are, and why they are processing that data, how long it will be stored for and who will receive it. They also have to give data subjects access to their own data and allow them to give it to another company if they want to.
Controllers and processors
The Regulation splits companies dealing with this personal data into two groups: controllers or processors. Controllers say how and why personal data is processed, subject to legal obligations and liabilities and are required to maintain records of personal data and processing activities. Processors are those who act on behalf of the controllers, but the legal obligations remain with the controller.
This legal obligation is to “implement appropriate technical and organisational measures” to meet the Regulation’s requirements and protect data subjects’ rights. In effect, controllers should employ information security frameworks, or ensure processors acting on their behalf do, that create consistent, repeatable processes and implement controls that are generally accepted by the information security community.
Data Protection Officers
Depending on the type and amount of data you collect, you might have to designate a “Data Protection Officer” (DPO). For instance, if you process personal data to target advertising through search engines based on people’s behaviour online, you need a DPO. If you process personal data on genetics and health for a hospital, then you also need a DPO.
DPOs are responsible for educating the company and its employees on important compliance requirements, training staff involved in data processing, and conducting regular security audits. They need to have “expert knowledge of data protection law and practices” and can be either an employee of the controller or processor, or a third party service provider.
A key requirement of the GDPR is the need to obtain specific consent from an individual before acquiring, storing or utilising their personal data. Companies must provide EU nationals with clear, easily understood opt-in processes that expressly state how users’ data will be stored, processed, or used.
In addition, the GDPR establishes that the individual has a “Right to be Forgotten,” and can request their personal information be explicitly removed from use. Without some other legal reason to process an individual’s information, the corporation must respect a request to delete data without undue delay.
In the event of a personal data breach, companies must notify the appropriate supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” If notification is not made within 72 hours, the controller must provide a “reasoned justification” for the delay.
Should the controller determine that the personal data breach “is likely to result in a high risk to the rights and freedoms of individuals,” then all data subjects also have to be informed. This may be done by a public communication.
To find out what your company has to do specifically to be GDPR compliant by 25 May, get in touch with us at WAAT. Take our GDPR compliance checker to inspect your data systems in a timely and cost-effective manner.