GDPR is short for General Data Protection Regulation, which is the new EU regulation on data- and privacy protection and regulation. In general, the new regulation ensures all EU and EEA (EØS) citizens increased rights over their data, which requires all companies that store data regarding those subjects within the EU or EEA (EØS) citizens to change their current practices.
The GDPR becomes effective as of May 25th 2018, and surveys have shown that only few companies are prepared for the new regulation or even aware of what this means for their business and their personal data policies. This blogpost highlights the important changes that you should have in mind, on the journey to becoming compliant with GDPR - ahead of time.
What is GDPR?
The General Data Protection Regulation is a new legislation on how businesses, companies, government agencies and non-profits treat their clients' personal data. The new regulation is the first in over two decades within this area, and the aim is to renew the outdated laws- and regulations on personal data protection. The new regulations are better adapted to modern technology and the ever-expanding amount of personal data that is stored in cloud solutions all over the world.
The new rules apply to all companies that collect data from EU or EEA (EØS) citizens, regardless of where the company is located, hence, a company operating in the US will have to meet with the GDPR regulations if they manage data from one or more of the 31 EU or EEA (EØS) countries. The EU's goal is to improve personal data safety, by improving the protection of their citizens and to provide its citizens with more rights than they have today.
The GDPR therefore includes important changes such as the individual's right to be forgotten (erasure) and the right to limit how one's personal data is used, stored and processed which will mean great changes in how businesses currently treat personal data.
Not complying with the new regulations could easily turn into an expensive mistake, as EU has set fines as high as 20 million euros or possibly 4 % of the business' worldwide turnover.
Who are the data subjects and what is personal data?
The GDPR defines a data subject as "...an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person".
In addition, the GDPR defines personal data as "...any information relating to an identified or identifiable natural person, here defined as a 'data subject'".
"Do I need a controller?"
As a requirement, GDPR requieres your company to create a Privacy Impact Assesment (PIA) to identify and minimize risks of non-compliance.
The responsibility of the formal PIA activity lays at the controller who is by GDPR is defined as "...the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law."
What will the GDPR mean to you and your business?
The new rules of the GDPR will mean significant changes for your organization, unless you have already adapted your business' IT strategy to meet the requirements of the new regulations. In general, the new regulation requires you to collect, store and use personal data in new ways.
The changes from the new rules for handling personal data can be summarized as follows:
- All businesses must have a comprehensible statement on personal data protection, which is easy to read and understand to everyone who works within the company as well as the data subjects. All businesses must evaluate risks and consequences to the security of personal data, meaning that the business is always updated on its personal data security.
- All businesses must have the security of personal data in mind whenever changes in the business occur, in order for the personal data to stay safe through organizational changes - and more important - in the event of the transfer of personal data to company sites outside the EEA (EØS) zone.
- All public and many private businesses must have a personal Data Protection Officer (DPO), who can be an employee or a professional third-party consultant.
- All data processors get new responsibilities, such as new routines for how they can collect and use personal data as well as answer and respond to the controller.
- There will be stricter requirements for all businesses in handling security breaches. Basically, businesses need to report quicker and more often than the current procedures, and no later than 72 hours after discovery.
- All businesses must comply with the new rights of the citizens, who now have the right to be forgotten and to move their personal data from one business to another. Citizens also have the right to reject being profiled.
- Furthermore, all companies must answer inquiries made by citizens about personal data safety within a month.
We hope this blogpost provided you with a useful overview of the new regulation. We will follow this up with a post on how to proceed, to get GDPR ready - So stay tuned!
EUR-Lex: Regulation (EU) 2016/679 of the European Parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Derective 95/46/EC (General Data Protection Regulation) http://eur-lex.europa.eu/legal-content