What is the GDPR?
The General Data Protection Regulation (GDPR) is an extensive new personal data protection law that gives residents of the European Union (EU) significantly more control over their personal data and requires any organizations that handles this data to employ appropriate security standards. Failure to comply with the GDPR could result in significant penalties – up to €20m or 4% of annual global turnover, whichever is greater.
The law protects personal data regardless of the technology used for processing that data – it’s technology neutral and applies to both automated and manual processing, provided the data is organized in accordance with pre-defined criteria (for example alphabetical order). It also doesn’t matter how the data is stored – in an IT system, through video surveillance, or on paper; in all cases, personal data is subject to the protection requirements set out in the GDPR.
- a name and surname;
- a home address;
- an email address such as firstname.lastname@example.org;
- an identification card number;
- location data (for example the location data function on a mobile phone);
- an Internet Protocol (IP) address;
- a cookie ID;
- the advertising identifier of your phone;
- data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.
When is the GDPR coming into effect?
The GDPR was approved and adopted by the EU Parliament in April 2016. The regulation will take effect after a two-year transition period and, unlike a Directive it does not require any enabling legislation to be passed by government; meaning it will be in force May 2018.
Who is affected by GDP?
The GDPR not only applies to organizations based in the EU, but also applies to organizations based outside of the EU if they offer products or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and keeping the personal data of data subjects residing in the European Union, regardless of the company’s location.
4 key steps to GDPR compliance
Microsoft suggests taking this simple 4-step approach for GDPR compliance. Good starting point on your way to GDP compliance is to identify what personal data you already have and where it is stored. The next step would be to develop personal data management protocols that define personal data usage and accessibility. Third step is data protection. Design adequate security measures to avoid any data loss and prevent possible data breaches. And last but not least, continuously review and update data security protocols and be ready to report to personal data subjects and supervision authorities upon request,
Six main principles of GDPR
Ultimately, GDPR compliance will be assessed by six principles:
- Personal information shall be processed lawfully, fairly and in a transparent manner
This principle is based on a notion of clear consent. In any instance where personal data is collected, it should have explicit consent of the data subject. Opt-in tick boxes are still permitted, but the regulation explicitly bans consent by non-action or pre-checked boxes.
- Personal information shall be collected for specified, explicit and legitimate purposes
When personal information is collected the purpose for its collection and subsequent processing must be clearly communicated to data subject. Organizations will have to be much clearer with data subjects about what their personal information is going to be used for.
- Personal information shall be adequate, relevant, and limited to what is necessary
Only personal information that is absolutely required for the specified purpose shall be collected. For example, if collecting personal information to send a newspaper subscription, there is no grounds to request date of birth.
- Personal information shall be accurate and, where necessary, kept up-to-date
Data controller shall ensure – to the best of their abilities – that the information collected is correct. This principle addresses situations where processing incorrect personal information may cause damage to data subjects.
- Personal information shall be retained only for as long as necessary
Personal information must have an expiration date applied accordingly to its collected purpose.
- Personal information shall be processed in an appropriate manner to maintain security
The principle requires data controllers and processors to ensure that their systems maintain the confidentiality, integrity and availability of data processing systems.
Conclusion: Things to consider under GDPR
GDPR takes effect in May 2018. It enforces new personal data security law to all businesses and organizations that provide services or offer goods to people in the EU or collect and process data of the EU citizens. GDPR applies to anyone regardless of location.
Here are the key aspects that you need to consider about GDPR law:
Individuals have the right to:
- Access their personal data
- Correct errors in their personal data
- Erase their personal data
- Object to processing of their personal data
- Export personal data
Controls and notifications
Organizations will need to:
- Protect personal data using appropriate security
- Notify authorities of personal data breaches
- Obtain appropriate consents for processing data
- Keep records detailing data processing
Organizations are required to:
- Provide clear notice of data collection
- Outline processing purposes and use cases
- Define data retention and deletion policies
IT and training
Organizations will need to:
- Train privacy personnel and employees
- Audit and update data policies
- Employ a Data Protection Officer (if required)
- Create and manage compliant vendor contracts
Images courtesy of Microsoft