In May 2018 the new General Data Protection Regulation of the European Union (EU GDPR) will be a fact. This regulation has a huge impact for businesses globally who process privacy data of European citizens.
At the moment most businesses are not worrying too much about this regulation, especially in the smaller and midrange market (SMB). They consider these new regulations not a priority of concern. Let’s summarise the areas of concern of this GDPR.
What is the General Data Protection Regulation (GDPR)?
The GDPR is a set of regulations that are very clear of the boundaries for businesses and governments in regards to the protection and regulation of privacy data. This regulation is to replace the current EU General Data Privacy Directive.
These regulations are clear on the following 3 goals:
- Ensuring protection of fundamental privacy rights of data subjects.
- To make a single law from the 28 separate privacy laws of all EU member states.
- To create and keep these new privacy laws updated to the ever changing technology landscape.
This GDPR is now also clear on what it considers “Privacy Data”. The list is very extensive and contain most of the expected descriptions, but also contains not that obvious items as well like IP addresses, collected geo-location data, cultural sentiment data. So understanding these regulations has to become a priority for all businesses as failing to comply can lead up to heavy fines and penalties.
What are the main regulations of this GDPR?
Increased Territorial Scope
The jurisdiction of the GDPR goes beyond the borders of EU as this regulation applies to all companies and organisations that process personal data of data subjects residing in the European Union. The applicability of the GDPR is very clear: it will apply to the processing of personal data by controllers and processors in the EU, even if the processing takes place outside of the EU. Non-EU businesses processing the data of EU citizens will have to appoint a representative in the EU.
The penalties are really substantial! More reason to understand and comply to the GDPR. The following two sorts of penalties show that the financial impact of non-complience is huge.
- If a business has not sufficient customer consent to process data or violating the core of Privacy by Design concepts, fines can lead up to 4% of annual global turnover or € 20 Million (whichever is greater).
- If a business or organisation doesn’t have their records in order (see article 28), not notifying the supervising authority and data subjects about a breach or not conduction impact assessments can lead up to 2% of annual global turnover.
A request for consent must be given in an easy accessible form, clearly communicated using non-legal, common language and must be easy to redraw from it.
When a data breach is endangering the “rights and freedoms of individuals”, breach notification is mandatory in all member states and must be done within 72 hours of first having become aware of this breach.
Data processors will also be required to notify their customers and data controllers without “undue delay”.
Right to Access
Data subjects have the right to obtain from the data controller confirmation if their personal data is being processed, where it’s being processed and for what purpose it’s processed. Further more, the controller shall provide a copy of the personal data, free of charge, in an electronic format.
Right to be Forgotten
Data Subjects have the right to be forgotten, also known as the “Data Erasure Right”. This means that the data controller should erase all personal data and cease further processing of that data, including third parties. The conditions for erasure are outlined in article 17.
GDPR introduces data portability – the right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly use and machine readable format’ and have the right to transmit that data to another controller.
Privacy by Design
The concept of “Privacy by Design” is becoming a legal requirement of the GDPR. Privacy should be part of the design stage of systems rather than an addition. Article 23 stipulates that controllers should hold and process only the data necessary and should limit access to this personal data to those that are authorised to process that data.
Data Protection Officer
The appointment of a “Data Protection Officer” or DPO will be mandatory for those data controllers and processors whose core activities are about processing and monitoring data subjects on a large scale, special data categories or data relating to criminal convictions and offences.
- Must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices
- May be a staff member or an external service provider
- Contact details must be provided to the relevant DPA
- Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge
- Must report directly to the highest level of management
- Must not carry out any other tasks that could results in a conflict of interest
How can in2it help you prepare for GDPR?
In2it can help you define critical GDPR improvement points in your application design, advice you on how to secure the processing workflow of this privacy data and how to minimise the privacy data footprint without giving up the usability of your application or service.
Contact us for more details and making an appointment.