The European General Data Protection Regulation (GDPR), enforcing a strict set of new rules concerning privacy and data security, comes into force on the 25th May. Organizations failing to comply might face a maximum fine of up to €20 million or 4% of the company’s global annual turnover, of the previous financial year, whichever is higher. The regulation defines personal data as “any information relating to an identified or identifiable natural person”. It affects anyone holding data on EU citizens, regardless of size, including companies that are not in Europe.
The reasons for the adoption of the GDPR are two-fold. Firstly, the EU wants to give its citizens more control over the use of their personal data with the hope that this will improve their trust in the emerging digital economy. And, secondly the EU wants to provide businesses with a clearer legal environment in which to operate and have an identical data-protection law throughout the single market.
The GDPR is a hundred page long document that changes requirements or creates new ones regarding privacy in several key areas.
A major aspect affected is that of consent. Until now a company needed consent but only had to ask once and that covered all its use of data. Now, companies need to have consent for each use of customer data; they have to record this consent and have it legally documented.
Individuals have the right to withdraw their consent at any given time and companies have to comply with this request. Moreover, they have the right to request a copy of their data and companies have to produce a machine readable copy within 30 days of this request.
Organizations need to take the necessary technical and organizational measures to prove that they have made their data processing compliant with the concept of privacy by design. Encryption and pseudoanoymization are used for achieving these goals.
Companies also need to introduce audits and policy reviews to continually assess their privacy and compliance. This means that it is not a one-off process, but a continuous one that needs a person overseeing it.
Data breach notification is mandatory and involves all companies regardless of their size.
Organizations have to update their policies, procedures and systems accordingly; they need to revisit what data they collect and understand whether it is caught by the personal data requirements of the GDPR or not. Similarly, they should re-evaluate how they communicate privacy information to their data subjects, how they document it and be able to explain to them the legal basis they adopt. They should readjust systems and processes in order to follow the new rules.
Companies, especially smaller ones with limited infrastructures, should get ready to deal with their data subjects requests for data access and find ways that will save them time fulfilling them.
When it comes to children’s data, a parent or guardian’s consent is necessary.
Indeed, companies need to be prepared to identify, investigate and report data breaches. In certain cases they might consider appointing a Data Protection Officer (DPO).
Every business and public body that processes private data is affected. This includes retail, finance, automotive, property, travel, tech, advertising…virtually every employer within the EU and any company handling EU data regardless of its location.
At Publisto, we have the business and technical knowledge of data flow and supporting processes required to assist you preparing for the transition and to assess the impact the GDPR regulation will have on your business. For more information download our presentation or email us @ firstname.lastname@example.org.