GDPR is the new regulation that will take effect as of May 25th, 2018.
GDPR stands for General Data Protection Regulation. The European Parliament and Council decided the new regulation in April 2016, under the EU Reg. number 2016/679.
It will replace the obsolete European directive Data Protection Directive 95/46 and it will be mandatory as of May 25th, 2018 for all businesses doing business with European citizens and businesses. In fact, if your company is based in the US or Canada, or whatever country out of the EU, and it processes data from European businesses, and that data includes individuals information, this information is protected and covered by the GDPR regulation. So, not only does it affect data from individuals, but also data from companies containing individuals information.
Therefore, all the companies, European and non-European, which are compliant with the directive above mentioned, must now prepare to comply with the new regulation.
Businesses that fail to comply with GDPR before the deadline will be subject to severe consequences and fines.
The GDPR provides a list of requirements that apply to each State of the European Union. This way, it creates a more consistent rule to protect consumers across the EU.
Hence, with the new regulation, that is the GDPR (Reg. EU 2016/679), the European Parliament achieved to standardize data security law on all EU members, so that each member state no longer needs to write its own data protection laws, assuring consistency across the entire EU, including the UK.
Accordingly, the new regulation will have an impact on data protection requirements globally.
Here’s the most important requirements:
- Consent of subjects for data processing
- Anonymizing collected data to protect privacy
- Providing data breach notifications
- Safely handling the transfer of data across borders
- Requiring certain companies to appoint a data protection officer to oversee GDPR compliance
In other words, the GDPR orders a model for businesses that manage EU citizens’ data to better protect the handling of citizens’ personal data.
Who must comply with GDPR?
All business, based in the European Union and outside the European Union that handle data from European citizens. Data from European companies containing individual information must be handled according to the GDPR. So, no matter where your company is located, you are required to comply with the GDPR if you do business (market goods or services, buy goods or services and by doing this you need to manage personal data) with EU.
The most important articles of GDPR and individual rights
The new regulation consists of 11 chapters and 91 articles. We now itemize and explain those who have significant impact on security operations:
Articles 17 – 21 Rights
The GDPR give individuals more control over personal data that is processed automatically. Individuals have the right of portability, which means they may be able to transfer their personal data between service providers with ease. In addition, they have the right to erasure, aka the right to be forgotten, that is they can order a data controller to delete their data under certain circumstances.
CHAPTER IV, Controller and processor, Section 1, General obligations, Article 24 and subsequent articles, Responsibility of the controller
These articles, require businesses to implement reasonable data protection measures to protect consumers’ personal data and privacy against loss or exposure. However, the regulation does not explain what’s “reasonable!” Certainly, this means you must secure data and so, if your company collects data by means of websites, the least you can do is install an SSL secure certificate. Encryption is important.
Section 2, Security of personal data, Article 32, Security of processing and subsequent articles – Data breach
GDPR specifies requirements for single data breaches. It orders the controller and the processor and, where applicable, their representatives, to report to the Supervisory Authority of a personal data breach within 72 hours (article 33) of learning of the breach. In addition, you ought to provide specific details of the breach, e.g. the nature of the breach and the rough number of data subjects affected. Important, data controllers to inform individuals as quickly as possible of breaches when the breaches place their rights and freedoms at high risk.
Section 3, Data protection impact assessment and prior consultation, Article 35 and subsequent articles, Data protection impact assessment
You are required to describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned (33a).
So that you comply, your business is required to perform Data Protection Impact Assessments in order to detect and identify risks to consumer data and Data Protection Compliance Reviews to ensure those risks are addressed.
Section 4, Data protection officer, Article 37 and subsequent articles, Designation of the data protection officer.
Some companies must appoint data protection officers. Precisely, any company that processes data revealing a subject’s genetic data, health, racial or ethnic origin, religious beliefs, etc. must designate a data protection officer; these officers serve to advise companies about compliance with the regulation and act as a point of contact with Supervisory Authorities. Be careful, if your company collects personal information about employees as part of human resources processes, must comply with this.
Article 38 – Position of the data protection officer
- The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
CHAPTER VIII, Remedies, liability and penalties, Article 77 and subsequent articles.
Penalties for not complying are actually high.
Supervisory Authorities have more power than in the former legislation.
Authorities hold investigative powers they can:
- Issue warnings for non-compliance;
- Perform audits to ensure compliance;
- Require companies to make specified improvements by prescribed deadlines;
- Order data deletion;
- Inhibit companies from transferring data to other countries.
Data controllers and processors are subject to the Supervisory Authorities and the fines they impose.
Fines may be up to Euros 20 million or 4% of total global annual turnover, whichever is greater (Article 83,
General conditions for imposing administrative fines)
Not only big businesses but also all organizations, small to medium- companies, have to learn and comply with the GDPR requirements.
Since it is mandatory by May 25th, 2018, it is advisable to start implementing data protection solutions right now, as this will help you achieve GDPR compliance when it comes into force.
One of the first things to do is to designate a DPO (Data Protection Officer) to build a proper policy that meets the GDPR requirements.
Remember, not only does the GDPR apply to businesses in the EU, it is mandatory to all businesses marketing services or goods to EU citizens and businesses.
If you have any questions about the GDPR, or want us to help you with your data protection program, do not hesitate to contact us. We will be glad to assist you by means of our GDPR advice service.