What’s the buzz about GDPR?
Data protection directives are nothing new to EU based countries. The national implementations of the directives are vast, complex and different across EU members. For this reason, the EU has developed a single set of rules for data protection, replacing the data protection directive form 1995, valid across all member states, called the General Data Protection Regulation (GDPR). Unlike a directive, the regulation is directly binding and applicable for national governments.
The GDPR mandates increased responsibility and accountability for any type of organisation processing, storing or manipulating personal data and includes heavy sanctions in case of non-compliance. The main objectives of the GDPR are to reduce data breaches, speed-up the notification and disclosure of breaches and the empowerment of citizens in regard to their own data. People will have easier access to their own data and be able to transfer personal data from one service provider to another more freely. The regulation will also provide controls to help people to better manage data protection risks online.
What are the main requirements?
- Before personal identifiable information (PII) is collected, organizations must obtain consent which highlights what data sets are collected and for what purpose.
- The consent must be in opt-in form and must be clearly distinguishable from other matters such as term and conditions.
- Individuals must be able to revoke the consent at any time easily.
- The collection of consent must be documented to provide transparency of when it was collected.
- If information is collected from minors, consent must be obtained from a legal guardian.
- A minor is someone under 16 years old (although member states have the ability to lower this to 13 years).
- The consent to process data must be explicit. Consent to transfer personal data outside the Union must now also be explicit.
Legitimate Purpose Specification and Use Limitation
- Information security policies (and supporting procedures) have to be in place to demonstrate that the collection of the PII is relevant and limited to what is necessary.
- Organizations must have legitimate grounds for collecting and using the personal data.
Data Subjects’ Rights
- Organizations need to facilitate the right to individuals to access their own PII, change inaccurate data and challenge automated decisions about them. GDPR also retains the right to object to direct marketing.
- Obligation to erase personal data without undue delay “right to be forgotten” and the right to data portability must be followed.
- Individuals must be informed that their data is being processed.
New Job Roles
- Organizations may be obligated to appoint a data protection officer. This depends on what kind of PII processing you carry out.
- The data protection of officer must report directly to the highest level of management within your organisation.
- The GDPR expands the requirements that organizations must include in its contracts with third-party processors.
- The GDPR requires the organization carry out a due diligence of their third-party service providers.
- GDPR imposes detailed and demanding breach notification requirements. Both the authorities and affected customers need to be notified without undue delay and, where feasible, not later than 72 hours after having become aware of the breach.
- Personal Data must be anonymised and encrypted where necessary.
- Organizations must ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
- Availability and access to personal data must be restored in a timely manner in the event of a physical or technical incident.
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing must be in place.
What are the penalties for non-compliance?
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of privacy by design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting an impact assessment.
Where does this leave you?
We have listed some of the GDPR requirements that will come into effect on May 25th of 2018 above. While some of them are not really new requirements, there has been a shift in the consequence of not being compliant. Our GDPR Readiness Check helps you to find where processes and technology need to be adapted, and lays out a roadmap to compliance for you. We will advise on specific requirements and how they can be implemented to best fit to your business processes as well as bridge the gap to provide expert technical guidance in the design and development of your web application and infrastructure architecture.