The General Data Protection Regulation(GDPR), adopted by the EU in April 2016, replaces the previous 1995 data protection directive. It brings into effect a more comprehensive and stringent set of laws around collecting, storing, and processing data of EU citizens. The regulation standardizes data privacy and protection throughout EU’s member nations and gives them greater rights over their data.
With the approaching deadline of May 25, 2018, when it comes into effect, let’s take a quick look what is GDPR, and figure out the next steps for your enterprise.
The GDPR is concerned with the following types of data:
What’s new with GDPR is the inclusion of pseudonymised data under the law. However, GDPR actually incentivizes pseudonymization and relaxes several requirements on data controllers that use this method.
Any organization, whether charity or for-profit, that collects, stores, and processes data belonging to EU citizens, will have to comply with GDPR. It’s applicable to your enterprise if you are:
While GDPR gives greater rights to EU citizens over their personal data, it also creates certain new obligations for enterprises:
Enterprises have to review the mechanisms via which they collect personal information. GDPR mandates that all citizens have to provide active consent to their personal information being collected. So organizations have to be transparent about why data is being collected and how it will be used. Pre-ticked checkboxes to gain information or using collected data for any purpose other than the one disclosed, will be in violation of GDPR.
GDPR gives citizens access to their data stored by any organization, via a Subject Access Request (SAR). Enterprises should be able to process SARs within a month, and be ready to erase personal information from their database, if so requested by an individual.
What data is being collected, why, for how long will it be stored, and what are the security measures around it: all this information has to be documented by enterprises. Any data collected should have a verifiable trail that shows information was collected with citizen’s consent and is being used for a purpose that they are aware of.
Any unauthorized access, loss, alteration or destruction of data is considered a breach of data privacy, and has to be disclosed to the country’s data regulator, within 72 hours. In case the breach has repercussions for EU citizens, the concerned individuals have to be informed as well.
Considering all that is required of enterprises to ensure compliance with GDPR, most large enterprise will feel the need for dedicated personnel. Data Protection Officers (DPO) will be in-charge of maintaining fair and transparent data collection and processing systems, as well as evaluating every new project for its impact on data privacy. While hiring a DPO is not mandatory, large enterprises should definitely consider appointing third-party consultants for this role.
One of the key features that make GDPR effective is the ability of data regulators to levy fines on non-compliant organizations. Not processing data in a specified manner, or failure to appoint a DPO if your company requires one, are all grounds for penalties. More serious infractions, like a data breach, or failure to report data breach within the stipulated time, also draws heavy fines. These can go up to € 20 million or four percent of the company’s global turnover, whichever is greater.
If you haven’t already given a thought to GDPR, now is the right time to get started. Even for enterprises that follow stringent internal data protection policies, GDPR will mean implementing certain changes. Here’s what enterprise need to do now:
That was a quick round up of GDPR and how it is set to impact enterprises. Once they review their current data protection policies to identify the gaps, the next step will be implementing the technical changes on their online properties. So enterprise decision makers should also start thinking about how this will be done, what in-house resources they require, or which technology partner to outsource to.
With all of this going on, GDPR might look like a major threat to businesses in 2018. However, enterprises should keep an eye on the silver lining of how GDPR compliance can also throw up new business opportunities.