The General Data Protection Regulation (GDPR) — which safeguards the processing of any personal data for all individuals within the European Union — is the most important change in data privacy regulation in 20 years. Its primary aim? To put EU residents in control of their personal data. By unifying the regulation within the EU, it’s intended to simplify the regulatory environment for international businesses. As it becomes enforceable on May 25, 2018, developing a plan for GDPR compliance will be crucial for all organizations.
Who will be affected?
All organizations within the EU will be responsible for adherence to the GDPR. Businesses located outside of the EU that offer goods or services to, or monitor the behavior of EU residents will also be affected. The GDPR applies to all companies that collect, process, or store the personal data of individuals residing in the European Union, regardless of the company’s location.
What constitutes personal data?
Personal data is any information about an individual that can directly or indirectly identify them. This includes a name, photo, email address, bank details, posts on social networking websites, medical information, or a computer IP address.
Compliance challenges
To comply with the GDPR, organizations must have clear documentation and policies on how to handle personal data — where it lives, how it’s used, who’s accessing it and, most importantly, how it’s being secured. Unfortunately, many organizations aren’t equipped with the appropriate internal processes and technologies to ensure that the personal data of EU residents will be protected under the new regulation. Here’s what’s expected of organizations under the GDPR.
Breach notification
Organizations will be subject to a specific set of processes to follow in the event of a data breach. Breaches must be reported to all affected individuals within 72 hours. You’ll be expected to have an incident response plan in place that identifies the breached data, documents your process for notification, restores data protection, and updates your controls.
Right to access
As the GDPR shifts the control of personal data back into the hands of individuals, organizations will now have to comply with its principle of ‘transparency.’ Individuals are empowered to request their personal data. They have the right to be notified about it — how it’s processed, where, and for what purpose. This documentation must be provided within one month of the request.
Privacy by design
Privacy by design has existed for years, but now it’s supported by the GDPR. It calls for the integration of data privacy controls at the onset of designing systems and services. It also limits data collection to only what’s absolutely necessary and requires that data be stored no longer than necessary.
Right to be forgotten
Otherwise known as data erasure, this component entitles individuals to have their data destroyed. They can request that the organization erase their personal data and cease further dissemination of the data. Any request to withdraw consent to process one’s data must be honored. Organizations must provide grounds for consent in an intelligible and easily accessible form using clear and plain language.
Pseudonymisation
Encryption — the process of rendering original data unintelligible without a decryption key — is the foundation of data protection. It’s also an example of pseudonymisation. The GDPR refers to pseudonymisation as a process that transforms personal data in such a way that an individual can’t be identified by it without the use of additional information, i.e., a key. Anonymization, which removes personally identifiable information from data, is another option.
Are you prepared to prove GDPR compliance?
Looking for a quick way to gauge preparedness? Ask yourself these questions:
- Can we provide a documented overview of all our data sources?
- Can we prove that appropriate data protection processes are in place?
- Do we have all the necessary documentation and audit trails?
- Can we completely erase all instances of consumer data upon request?
- Can we prove that we practice privacy by design?
Penalties
Breaching GDPR can result in substantial legal fees and costly fines — on the high end, up to 4 percent of annual global revenue or €20 million — whichever is greater. Lower fines for privacy violations, such as failing to report a data breach within 72 hours, can cost an organization up to €10 million or 2 percent of total worldwide revenue. More important than the financial penalty, though, is the damage to your brand as well as the reputation you’ve worked so hard to establish. Compliance is crucial. Otherwise, your customers, employees, and IT systems can also be compromised.
Preparedness is key
GDPR fundamentally changes how organizations approach data management and privacy protection — as well as the level of control that individuals retain over their personal data. It’s not surprising then, that the words 'privacy' and 'security' feature heavily throughout the full text of the new regulation. Do you fully understand what personal data is and the many places it’s stored? Do you have an incident response plan in place? With an impending enforcement date of May 25, 2018, now isn’t the time for hesitation. Adherence to the GDPR isn’t only a legal requirement, it demonstrates your commitment to privacy protection — and your investment in your customers.