What is GDPR?
The General Data Protection Regulation (GDPR) is a new set of regulations intended to protect the personal data of European Union (EU) citizens. GDRP applies to anyone doing business with European Union (EU) citizens by regulating the ways in which businesses store and share such data. GDPR went into effect on May 25, 2018.
You can find the full text here. below are the highlights of the GDPR.
Why GDPR is important
If your organization conducts business in the EU or plans to do so in the future, you must implement systems to achieve and maintain GDPR compliance with GDPR’s core provisions. This includes customer data within your email system, data that is transmitted through your network, and data collected by your website.
Highlights of the GDPR
The General Data Protection Regulation harmonizes and unifies data protection for natural person resident within the European Union
- Came into force in May 2016, effective May 2018
- Expands existing rights of data subjects
- Applies to all organizations processing the data of EU subjects
- Direct obligations on both data controllers and processors
- Data breach notification requirements within 72 hours
- Fines of up to €20m or 4% annual worldwide turnover for non-compliance.
Data subjects - the natural person to whom the personal data relates
Personal Data - any information relating to an identified or identifiable data subject such as a name, an identification number, location data, etc.
Processing – a broad concept that includes almost anything that you can do with personal data, including collection, storage, use, and destruction. Disclosure is also one form of processing.
Data controller - a person who (either alone or jointly or in common with other persons) determines the purpose for which and the manner in which any personal data are, or are to be, processed.
Data processor - any person (other than the employee of the data controller) who processes the data on behalf of the data controller.
Six privacy principles under the GDPR:
- Lawfulness, fairness, and transparency- informing data subjects of the kind of processing that will take place
- Purpose limitations - Organizations need to think about why personal data is being collected and if it is absolutely necessary
- Data minimization - No more than the minimum amount of data should be kept for a specific processing
- Accuracy - Data stored or processed must be accurate and kept up to date
- Storage limitations- Data retention considerations
- Integrity and confidentiality - Requirements on how data is processed, stored and protected.
Data Controller Vs Data Processor
The concept of the data controller and its interaction with the concept of data processor plays a crucial role in the implementation of the Regulations. The data controller remains primarily responsible for ensuring their processing complies with the Regulations, whether they do it internally or engage a data processor. Where roles and responsibilities are unclear, they will need to be clarified to ensure that personal data is processed in accordance with data protection principles.
The GDPR places direct obligations on data processors. These obligations mean that data processors may be subject to direct enforcement by supervisory authorities, serious fines for non-compliance, and compensation claims by data subjects for any damage caused by breaching the GDPR.
Key highlights of the GDPR
- The extraterritorial reach of the GDPR
The Regulation primarily applies to businesses established in the Union. However, it will also apply to businesses based outside the Union that offer goods and services to, or monitor, individuals in the Union.
You will need to ascertain the extent to which the GDPR applies to you and begin to take steps to mitigate the level of exposure in order to comply.
You will need to appoint a representative in the Union, subject to certain limited exemptions. The representative may have to accept liability for breaches of the Regulation.
Obtaining consent from an individual will be necessary to justify processing their personal data.
Individuals can also withdraw their consent at any time.
Consent to transfer personal data must also be explicit.
You will need to review how you are seeking, obtaining and recording consent and whether you need to make any changes.
- Rights of data subjects
- Access their own personal data
- Rectify inaccurate data and challenge automated decisions about them
- Right to object to direct marketing
- Right to be forgotten
- The right to data portability.
- The new rights are complex and it is not clear how they will operate in practice.
Check internal procedures to ensure the day-to-day operations support all data subject rights, including how you would delete personal data or provide data electronically and in a commonly used format.
Additionally, due to the subject access requests, you should update your procedures and plan how you will handle requests in a reasonable time
- Data security and data breach notification
The Regulation requires you to keep personal data secure. This obligation is expressed in general terms but does indicate that some enhanced measures, such as encryption, may be needed.
Controllers must report data breaches to their supervisory authority (unless the breach is unlikely to be a risk for data subjects). That notification should normally be made within 72 hours. For a breach that may result in a high risk to the rights and freedom of a natural person you may have to inform the data subject without undue delay.
You will need to ensure that there is an operational and functional incident response team, and clear internal reporting structures in place.
- Appointment of a data protection officer
You may be obliged to appoint a data protection officer.
It is recommended for an organization with more than 250 employees a DPO be appointed.
If an organization regularly monitors data subjects or processes sensitive data on a large scale, then this appointment of a DPO will be necessary.
The data protection officer must report directly to the highest level of management within your organization.
Where an entity processes personal data on a global scale including the EU, there will be a need to appoint a Data Protection Officer to oversee compliance under the GDPR.
An entity must comply with the six general principles but further, demonstrate compliance.
If you are carrying out “high risk” processing, you must carry out a privacy impact assessment and, in some cases, consult your supervisory authority.
Ensure that the information collected is accurate and well documented for ease of access in the face of demonstrating compliance. Have an internal code of practice. Assess the nature of data you are processing to ascertain if it is in the high-risk or risk category.
- Privacy by design
The Privacy by design requirement under the GDPR requires companies to design compliant policies, procedures, and systems at the outset of any product or process development
The approach promotes privacy and data protection compliance from the start, rather than as an afterthought.
Develop and conduct regular Privacy Impact Assessments so as to identify and reduce the privacy risks of the organization.
Revise standard agreements with data processors to better incorporate the privacy by design approach.
The GDPR is not a one size fits all how to prepare
Remember that this is also a legal issue and not solely an IT issue
Understand your current data privacy compliance framework
Define the impact on your (global) business operations
Identify the personal data you collect and where the data is stored
Review current data privacy internal and external agreements
Identify privacy/security violation mitigation process
Develop access policies and procedures for relevance and transparency
Develop Privacy Impact Assessment (PIA) and come up with a risk register
Ensure compliance is achieved within the group of companies
Evaluate relevancy/accuracy of records and retention schedules
Employ tools and technologies to help achieve and maintain compliance
Create company-wide awareness
Everyone in your organization must be aware of the importance of good data management and governance. Decision-makers and key people must be able to fully appreciate the requirements of GDPR before spearheading compliance. Implementing the GDPR could have significant resource implications, especially for larger and more complex organizations.
Identify, review, and, where necessary, revise their data processing agreements to ensure that they are GDPR-compliant. Any new agreements should be agreed upon in accordance with the requirements of the GDPR. Consider mechanisms for resolving disputes regarding respective liabilities to settle compensation claims, given the new provision allowing for joint liability for data protection breaches. Ensure that you have clear documentation and recording procedures in place to prove that you meet the required standards. Implement measures to prepare and maintain records of your organization’s processing activities.
The role of legal and compliance professionals
- Legal/risk/compliance professionals are the guardians of any organization's integrity, privacy, and security of the organization’s data
- Integral- as they devise approaches on what needs to be done to mitigate risk, achieve compliance while taking advantage of IT benefits.
- Business and IT colleagues depend on risk and compliance professionals for guidance.
- Technology, standards, and regulations are always evolving
- Compliance in IT can be complex, time-consuming, and costly
- Data privacy, data security, data residency, and government surveillance are now things we must think about
- Data management and governance should be a board-driven