GDPR Arrives on May 25: What It Means for You
The data produced at home and at work have become integral to functioning in our cyber-connected world. But with the proliferation of data and interconnected devices comes the vulnerabilities affecting the access, integrity, and security of that data.
Major headlines detailing breaches over the past decade affecting nearly 2 billion users — across governments, national militaries, financial institutions, media outlets, and online services — have highlighted the importance of both organizational and personal data protection.
To address this concern and to uphold information rights in the public interest, the European Union (EU) developed the General Data Protection Regulation (GDPR), which will impact the data used by all European citizens, as well as the organizations that serve and do business with them. The EU will begin enforcement of GDPR on May 25, 2018.
Do you know how GDPR will affect your organization, and are you prepared for these changes? The first step is to learn the GDPR basics.
- Data Protection: Building on and expanding the Data Protection Act 1998 (DPA), the GDPR outlines principles to guide organizations through digital interactions relative to data subjects and their personal data. Specifically, the GDPR addresses:
- Accountability: You are responsible for developing technical and organizational measures demonstrating GDPR compliance (e.g., staff training, internal audits of processes, and HR policy reviews). When appropriate, you’ll need to appoint a Data Protection Officer (DPO) to conduct Protection Impact Assessments (PIA).You will also be accountable for implementing measures to meet GDPR’s principles of data protection. These measures include minimizing data collection from data subjects, treating pseudonymous data as personal data, achieving transparency in your data processing, and developing data security features.
- Consent: GDPR requires affirmative consent to be documented, and individuals have the right to withdraw consent at any time. Your organization should not collect any personal data from individuals before you have asked for and received their permission. You must acquire, document, and save their permissions. Individuals also have the right to withdraw consent—your organization must put in place a process for withdrawal.
- Documentation: Your organization needs to show name and contact info for your DPO, as well details regarding how information is processed and protected, including retention schedules and security measures.
- Processing Criminal Data: Any processing of personal data related to criminal convictions or offenses should be done only when authorized by the EU or other government entity.
- Unnecessary Processing: If data controllers no longer have a purpose for an individual’s identification, they will not need to maintain, acquire, or process additional personal information.
- Processing Special Data Categories: The GDPR prohibits the processing of personal data revealing any of the following, unless specified by the EU or other government laws (or specifically exempted in GDPR, Article 9):
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data for the purpose of uniquely identifying a natural person
- Data concerning health or data concerning a natural person’s sex life or sexual orientation.
- Data Subject Rights: The GDPR strengthens existing rights and creates new ones, including the following:
- The Right to Be Informed: Organizations must be transparent and provide information and documentation on how you use personal data.
- The Right of Access: To verify the lawfulness of their data processing, individuals are entitled to obtain confirmation when their data is processed, and they must be given access to that data.
- Child Data Protection: Processing children’s personal data is lawful for individuals age 16 and older. For those younger than 16 years of age, you must obtain documented consent from a parent or person with authorized parental responsibility.
- The Right to Rectification: Individuals have a right to rectify inaccurate or incomplete data, and organizations have the responsibility to disclose rectifications to third parties within one month.
- The Right to Erasure: Individual may request the deletion or removal of personal data if there is no compelling reason for its retention or continued processing.
- The Right to Data Portability: This allows individuals to easily and securely move, copy, or transfer data from one IT environment to another.
- The Right to Object: Individuals have the right to object to processing based on legitimate public interests (including profiling), direct marketing, and purposes of scientific or historical research and statistics.
If you think you will be exempt from these regulations due to company size, think again. The GDPR does away with the criterion of number of employees and focuses instead on what organizations do with personal information. Any company, regardless of location, that processes personal data of an EU resident, is subject to the GDPR. Non-EU businesses processing data of EU citizens must appoint a representative in the EU.
Lastly, these regulations have penalties associated with noncompliance (up to 4% of annual global turnover or £20 million, whichever is greater). No need to panic! There is still time to become GDPR compliant before May 25.
If you are unsure of your organization’s readiness when it comes to requirements for protecting the rights of data subjects (Chapter 3 of GDPR), let FileFacets help you understand and meet the requirements.
Additionally, Article 22 of the GDPR protects individuals against solely automated decision-making (no human interface), especially in legal or other similarly significant matters. This includes algorithm-based profiling.
GDPR assesses penalties for noncompliance (up to 4% of annual global turnover or £20 million, whichever is greater), so there is terrific incentive to be ready for implementation on May 25.