What is GDPR?
GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. And non-compliance could cost companies dearly.
- GDPR intends to strengthen and unify data protection for all individuals within the EU.
- It addresses the export of personal data outside the EU.
- It aims to give control back to citizens and residents over their personal data and to simplify regulatory environment for international business by unifying the regulation within the EU.
- It will replace the data protection directive (officially Directive 95/46/EC) of 1995.
- Enforceable from 25 May 2018 after a two-year transition period.
Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU.
- Data controller – businesses that collect data from EU residents
- Data processor – businesses that process data on behalf of controller
- Data subject – person based in the EU
- Others – organizations based outside the EU if they collect or process personal data of EU residents
GDPR protects privacy data that includes –
- PII (basic identity information like name, address and ID)
- Web data (location, IP address, cookie data etc.)
- Health and Genetic data
- Racial or ethnic data
- Political opinions
- Sexual orientation
According to the European Commission “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
GDPR guidelines and key requirements –
- Data coverage – personal data of residents in EU needs to be protected
- Lawful basis for processing – data can be processed if there is at least one lawful basis to do so as per GDPR guidelines
- Consent – where consent is used as a lawful basis for processing, business must be able to demonstrate or show proof of consent
- Data protection officer (DPO) – requires the controller and processor to designate a DPO to oversee data security strategy and GDPR compliance
- Pseudonymisation – Pseudonymised data (encrypted data) is still considered personal data and remains covered by GDPR
- Data breach – inform GDPR Board Representative within 72 hours of breach and inform impacted individuals within a reasonable amount of time
- Right to access – EU Citizens get right to access personal data and how the data is processed
- Right to be Forgotten / Data erasure – controller and processor to allow EU residents requesting data erasure and cease further dissemination of data
How to Comply?
- Audit the current processes – audit and risk assessment of current data collection processes and collected data. Focus on 1. How are you collecting data?, 2. How are you using the data?, 3. Who are you sharing the data with?, 4. How are you storing the data?, and finally 5 How are you deleting the data?
- Impact and gap analysis – work closely with your department heads, legal team, finance and human resources. Identify type of PII, initiate GDPR awareness programs, designate DPO and update privacy notices.
- Prepare explanation of collected data – be prepared with clear documentation and recorded procedures to prove you meet the new standards.
- Historic data – review the historic data and where appropriate, make revisions to ensure its compliance to the new standards.
- Consent from individual – update your systems to allow individuals in EU register their consent with opt-in/out. Individual should be given a genuine choice and control over how their personal data is used. Allow individuals to opt in or withdraw consent when they see fit. Maintain records of evidence which you can regularly review and refresh.
- Right to be Forgotten / Data erasure – update your systems/processes to allow individuals request erasing his/her personal data, cease further dissemination of data and potentially have third parties cease processing data.
Time is Ticking
Comply Before 25-May-2018
For non compliance
Fine up to 20 million EUR or 4% of the annual global turnover whichever is greater
This article is originally published here on LinkedIn.