What is GDPR?
The General Data Protection Regulation (GDPR) is a broad set of rights and principles, enacted into law by the European Union to ensure the protection and use of personal data pertaining to EU residents. These regulations are extensive, featuring 173 recitals, 99 articles, and 160 pages, and they will be enforced with teeth.
When will it be implemented?
The EU enacted GDPR on May 24th, 2016 and enforcement of it will begin on May 25th, 2018. Companies that are not compliant with the regulations by May 25th, 2018, and experience a breach of personal data, can expect to face steep fines, i.e. up to 4% of global revenue or 20 million Euro (whichever is higher)!
What does it affect?
- Any organization that stores or processes personal information about EU subjects, including non-EU entities.
- Any company that has a presence in an EU country, either by offering goods and services to or monitoring the behaviour of EU citizens.
- If a company does not have a physical presence in the EU, but processes the data of EU subjects, it will still be subject to GDPR.
- Large companies
- Small-medium enterprises are affected if they conduct data processing that impacts the rights and freedoms of data subjects, or if it includes non-occasional sensitive personal data.
Data, Processes, & People
Data refers to any information that your business uses, processes, stores, or needs. Some things you would expect to see on this list are:
- Customer data
- Employee information (current & former)
- Financial Information
But there are other things that you may not expect to qualify, such as: vendor lists, certifications, access to resources and credentials, physical access, unstructured [big] data, logs, etc.
Personal data includes any information relating to an identified or identifiable natural person. An identifiable person is one whose identity can be determined either directly or indirectly by reference to an identifier. Keep in mind there is a difference between personal data and sensitive personal data, where the latter corresponds to anything relevant to religious beliefs, sexuality, etc. Sensitive personal data is protected to higher standards, and breaches are subject to larger penalties.
Processes refer to those that are critical to the business, such as:
- Customer communications
- Social Media
- Supply Chain & Materials
- Industrial Controls
- Physical Access & Trade Secrets
Finally, consider the people who are responsible for business operations, and what they have access to. For example, evaluate the following:
- Current and former employees
- Customers and Potential Customers
What are the goals of GDPR?
GDPR asserts that the protection of data privacy is a fundamental right. These regulations will give control back to the citizens and residents of the EU over their personal data. Furthermore, they will simplify the regulatory environment for international business, by unifying regulations across the EU.
- Transparency for data subjects – meaning the people whose data is collected should be able to find out what the data is collected for, its purpose, who has access to the data, and how long the data lives in the system. Furthermore, they should be able to verify, correct, export, move, and erase their data as easily as it was provided in the first place.
- Privacy by design, which minimizes data collection and retention, whilst gaining consent from customers.
- This includes having a valid basis for processing personal data – it should answer the question of why the data is being processed, and what right does the company have.
- Consent must be clear, precise, and understandable. It cannot be pre-set. It should also be just as easy to cancel the consent as it was to grant it to begin with.
- Data Protection Impact Assessments (DPIA)
- For certain data, companies will have to evaluate the risks to privacy (in advance).
- Right to erasure and to be forgotten
- Citizens have the right to request that companies erase personal data and inform them how long they will store the data.
- Extraterritoriality – GDPR applies even if a company does not have a physical presence in the EU, but collects data about EU subjects.
- Breach notification requirements to both data authorities and persons affect
- Steep fines for non-compliance
Centry can help!
This article was written by Dave Ehman and Kristina Weber of Centry LTD.