The General Data Protection Regulation(GDPR), adopted by the EU in April 2016, replaces the previous 1995 data protection directive. It brings into effect a more comprehensive and stringent set of laws around collecting, storing, and processing data of EU citizens. The regulation standardizes data privacy and protection throughout EU’s member nations and gives them greater rights over their data.
With the approaching deadline of May 25, 2018, when it comes into effect, let’s take a quick look what is GDPR, and figure out the next steps for your enterprise.
What type of data is covered by GDPR?
The GDPR is concerned with the following types of data:
- Personal information: Any piece of information that can be used to identify a person; name, address etc
- Sensitive personal data: Information that is not considered common public knowledge: religious, sexual, political orientation, race etc.
- Pseudonymised data: Data where personal identifiers have been assigned pseudonyms. For example: the name being replaced with a unique number.
What’s new with GDPR is the inclusion of pseudonymised data under the law. However, GDPR actually incentivizes pseudonymization and relaxes several requirements on data controllers that use this method.
Which organizations need to comply with GDPR?
Any organization, whether charity or for-profit, that collects, stores, and processes data belonging to EU citizens, will have to comply with GDPR. It’s applicable to your enterprise if you are:
- Based in EU, and collect and use EU citizens’ data in any form
- Based outside EU, but cater to or monitor EU citizens and collect data in the process
- Do not collect or use EU citizen data, but are contracted to process such data
How exactly does GDPR impact enterprises?
While GDPR gives greater rights to EU citizens over their personal data, it also creates certain new obligations for enterprises:
Enterprises have to review the mechanisms via which they collect personal information. GDPR mandates that all citizens have to provide active consent to their personal information being collected. So organizations have to be transparent about why data is being collected and how it will be used. Pre-ticked checkboxes to gain information or using collected data for any purpose other than the one disclosed, will be in violation of GDPR.
GDPR gives citizens access to their data stored by any organization, via a Subject Access Request (SAR). Enterprises should be able to process SARs within a month, and be ready to erase personal information from their database, if so requested by an individual.
What data is being collected, why, for how long will it be stored, and what are the security measures around it: all this information has to be documented by enterprises. Any data collected should have a verifiable trail that shows information was collected with citizen’s consent and is being used for a purpose that they are aware of.
Reporting Data Breaches
Any unauthorized access, loss, alteration or destruction of data is considered a breach of data privacy, and has to be disclosed to the country’s data regulator, within 72 hours. In case the breach has repercussions for EU citizens, the concerned individuals have to be informed as well.
Data Protection Officers
Considering all that is required of enterprises to ensure compliance with GDPR, most large enterprise will feel the need for dedicated personnel. Data Protection Officers (DPO) will be in-charge of maintaining fair and transparent data collection and processing systems, as well as evaluating every new project for its impact on data privacy. While hiring a DPO is not mandatory, large enterprises should definitely consider appointing third-party consultants for this role.
One of the key features that make GDPR effective is the ability of data regulators to levy fines on non-compliant organizations. Not processing data in a specified manner, or failure to appoint a DPO if your company requires one, are all grounds for penalties. More serious infractions, like a data breach, or failure to report data breach within the stipulated time, also draws heavy fines. These can go up to € 20 million or four percent of the company’s global turnover, whichever is greater.
What are the next steps?
If you haven’t already given a thought to GDPR, now is the right time to get started. Even for enterprises that follow stringent internal data protection policies, GDPR will mean implementing certain changes. Here’s what enterprise need to do now:
- Go over your enterprise's data protection policies with a fine tooth comb and identify the areas that will need improvements or changes. Review data collection, processing, and storage procedures, to make sure they are compliant.
- Identify any on-going projects that can cause compliance problems under the GDPR.
- Take stock of all data held within the enterprise and document what, why, and how it was collected and being stored and handled
- Review all data privacy notices/forms and make sure it informs citizens how their data is being used
- Set up processes to handle data access, correction, and deletion requests. Ensure that they are swift and stick to the timelines set out in the GDPR
- Ensure you have a streamlined process to identify, control and report data breaches
- Review if your organizations requires a DPO, under the GDPR guidelines, and appoint one accordingly
- And finally, plan the transition to new systems and process, including allocation of adequate time and resources
That was a quick round up of GDPR and how it is set to impact enterprises. Once they review their current data protection policies to identify the gaps, the next step will be implementing the technical changes on their online properties. So enterprise decision makers should also start thinking about how this will be done, what in-house resources they require, or which technology partner to outsource to.