GDPR Compliance SpecialistGDPR IS HERE, ARE YOU COMPLIANT?
On May 25, 2018, a new landmark privacy law called the General Data Protection Regulation (GDPR) took effect in the European Union (EU). It carries provisions that require businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states
What is GDPR?
The GDPR was adopted by the European Parliament in April 2016. The provisions reinforce data protection in line with contemporary concerns about personal information, and apply to both EU member states and organisations outside the union when processing the data of citizens within it.
Regulations have been harmonised to ease compliance, with one set of laws applying across all 28 member states. The clarity comes with severe penalties for violations if you don’t follow the basic principles for processing data, such as consent, ignore individuals’ rights over their data, or transfer data to another country. Under the GDPR, authorities can fine organizations up to the greater of €20 million or 4% of a company’s annual global revenue, based on the seriousness of the breach and damages incurred.
Why was it created?
The GDPR provision intends to replace outdated data protection laws in each EU member states to strengthen the protection of personal data in light of rapid technological developments, increased globalization, and more complex international flows of personal data.
The core objectives behind GDPR are twofold.
- Usage and storage of EU citizens data
The GDPR regulates the “processing,” which includes the collection, storage, transfer or use, of personal data about EU individuals. Importantly, under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”).
2. Give greater control to EU citizens over how their personal data are user
Which companies are affected by the GDPR?
Any organization that processes personal data of EU individuals, including tracking their online activities, is within the scope of the law, even if they do not have a business presence within the EU. Specific criteria for companies required to comply are:
- A presence in an EU country.
- No presence in the EU, but it processes personal data of European residents.
- More than 250 employees.
- Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data.
In other words GDPR applies to all companies worldwide working with personal data related of European Union (EU) citizens.
What does it require?
Basis of data processing
In order to process personal data, organizations must have a lawful basis to process the data, such as to fulfill the performance of an agreement with the data subject or by obtaining the consent of a data subject. To the extent that consent is the only lawful basis, that consent must be freely given, specific, informed, and unambiguous. In other words, organizations must give data subjects a genuine choice whether to allow their data to be processed, and data subjects must agree via a clear statement or affirmative action. Requiring data subjects to grant broad consent to processing of their personal data when they register to use a service may not constitute freely given consent beyond processing that is necessary for providing the service. Additionally, organizations must be able to prove that they obtained valid consent.
Previous EU law directly regulated primarily data controllers; however, the GDPR places numerous direct compliance obligations on data processors. This includes requirements that processors only process personal data in accordance with the controller’s instructions, not share data with other vendors without consent of the controller, and implement appropriate security measures (which we discuss further in the next unit). Additionally, the law imposes several more compliance obligations on both data controllers and data processors to implement appropriate policies, assess the privacy impact of changes to business practices, and keep detailed records on data activities.
Data controllers must report any data breach to their data protection authority as soon as possible and no later than 72 hours after becoming aware of the breach, unless the breach is unlikely to result in any harm to the data subjects. If there is a high risk of harm, data controllers must report data breaches to the data subjects as soon as possible. Data processors must also notify data controllers of data breaches as soon as possible.
Data protection officer
Any organization that regularly processes sensitive personal data on a large scale or is involved in regular and systematic monitoring of data subjects must appoint a data protection officer to ensure the organization complies with privacy law.
Under previous EU law, data protection authorities in Europe had limited ability to punish companies that violated privacy law. Under the GDPR, authorities can fine companies up to the greater of €20 million or 4% of a company’s annual global revenue, based on the seriousness of the breach and damages incurred.
Use of processors
Data controllers must have written agreements with data processors that ensure processors act only in accordance with the controller’s instructions, implement appropriate security measures to protect the data, assist the controller with its compliance obligations, return or destroy personal data at the end of the relationship, and comply with the provisions of GDPR applicable to processors.
The GDPR places certain restrictions on the automated processing of personal data to evaluate a data subject—or, “profiling.” This includes monitoring or tracking data subjects to analyze or predict work performance, economic situation, health, behavior, preferences, or attitudes. Automated processes that can result in a significant impact on an individual, such as denial of a job or credit application, are considered high risk and are permitted only in limited cases.
Data subject rights
The GDPR provides data subjects with a broad range of rights regarding their personal data. Data subjects can request that data controllers provide them with access to all personal data the controller maintains about them, and they can request that the data be corrected, deleted, frozen, or made portable (for example, downloaded). Additionally, they can object to certain processing and revoke previously given consent. We talk more about these rights in the next unit.
The GDPR provides a central point of enforcement for organizations with operations in multiple EU member states by requiring such organizations to work with a lead supervisory authority for cross-border data protection issues.
How can we assist you?
STEP 1: IDENTIFY PERSONAL DATA IN YOUR COMPANY
The first step is understanding what personal data your organisation has and where it stores it. It is not uncommon for organizations to have have dozens, if not hundreds, of different databases and systems that store personal data
The personal data can come from employees, job applicants, affiliates, partners people who fill out forms on websites, participate in contests or loyalty programs, make purchases, fill out rebate or warranty cards, attend events, or contact customer service teams via email, phone, or social media.
STEP 2: DOCUMENTING USAGE AND PURPOSE OF PERSONAL DATA
Once a data source has been identified as containing personal data, the next step is to document the purpose and usage of that data. We help you build a data inventory that shows, for each storage system, which type of data is stored there, where it came from, what it is used for, who has access to it, how it is secured, which third parties it is transferred to, and how long to keep it.
STEP 3: ESTABLISH CONTROLS AND PROCESSES
- Ensure privacy notices are present wherever personal data is collected
- Implement controls to limit the organization’s use of data to the purposes for which it collected the data
- Establish mechanisms to manage data subject consent preferences
- Implement appropriate administrative, physical, and technological security measures and processes to detect and respond to security breaches
- Establish procedures to respond to data subject requests for access, rectification, objection, restriction, portability, and deletion (right to be forgotten)
- Enter into contracts with affiliates and vendors that collect or receive personal data
- Establish a privacy impact assessments process
- Administer employee and vendor privacy and security awareness training
STEP 4: DEFINE NEW MARKETING/SALES TARGET PROCESSES
STEP 5: MAINTAINING COMPLIANCE
- Compile copies of privacy notices and consent forms, the data inventory and register of data processing activities, written policies and procedures, training materials, intra-company data transfer agreements, and vendor contracts
- Development of rich search and queries capabilites to satisfy personal data regulatory request
- Conduct periodic risk assessments
Need a hand to be GDPR-compliant ?