The GDPR (2016/679) was initially published by the European Commission in January 2012. After four years of negotiation, it was finally adopted on 27 April 2016. Following a two year implementation period, the GDPR comes into force across the European Union on 25 May 2018. It will replace the existing Data Protection Directive 95/46/EC. The GDPR introduces substantial changes to European data protection law, along with severe financial penalties for non-compliance. Therefore, it is important for businesses to start taking steps now to prepare for implementation of the new rules.
In parallel with the GDPR, the European Commission proposed the Law Enforcement Data Protection Directive (2016/680) (LEDP Directive), on protecting personal data processed for law enforcement purposes, which will replace the Data Protection Framework Decision 2008. The LEDP Directive has not attracted as much attention and debate as the GDPR, but they constitute a package and were adopted together. The LEDP Directive must be transposed into national law by Member States by 6 May 2018.
Some of the key privacy and data protection requirements of the GDPR include:
- Requiring the consent of subjects for data processing
- Anonymizing collected data to protect privacy
- Providing data breach notifications
- Safely handling the transfer of data across borders
- Requiring certain companies to appoint a data protection officer to oversee GDPR compliance
The GDPR itself contains 11 chapters and 91 articles. The following are some of the chapters and articles that have the greatest potential impact on security operations:
- Articles 17 & 18 – Articles 17 and 18 of the GDPR give data subjects more control over personal data that is processed automatically. The result is that data subjects may transfer their personal data between service providers more easily (also called the “right to portability”), and they may direct a controller to erase their personal data under certain circumstances (also called the “right to erasure”).
- Articles 23 & 30 – Articles 23 and 30 require companies to implement reasonable data protection measures to protect consumers’ personal data and privacy against loss or exposure.
- Articles 31 & 32 – Data breach notifications play a large role in the GDPR text. Article 31 specifies requirements for single data breaches: controllers must notify SAs of a personal data breach within 72 hours of learning of the breach and must provide specific details of the breach such as the nature of it and the approximate number of data subjects affected. Article 32 requires data controllers to notify data subjects as quickly as possible of breaches when the breaches place their rights and freedoms at high risk.
- Articles 33 & 33a – Articles 33 and 33a require companies to perform Data Protection Impact Assessments to identify risks to consumer data and Data Protection Compliance Reviews to ensure those risks are addressed.
- Article 35 – Article 35 requires that certain companies appoint data protection officers. Specifically, any company that processes data revealing a subject’s genetic data, health, racial or ethnic origin, religious beliefs, etc. must designate a data protection officer; these officers serve to advise companies about compliance with the regulation and act as a point of contact with Supervising Authorities (SAs). Some companies may be subjected to this aspect of the GDPR simply because they collect personal information about their employees as part of human resources processes.
- Articles 36 & 37 – Articles 36 and 37 outline the data protection officer position and its responsibilities in ensuring GDPR compliance as well as reporting to Supervisory Authorities and data subjects.
- Article 45 – Article 45 extends data protection requirements to international companies that collect or process EU citizens’ personal data, subjecting them to the same requirements and penalties as EU-based companies.
- Article 79 – Article 79 outlines the penalties for GDPR non-compliance, which can be up to 4% of the violating company’s global annual revenue depending on the nature of the violation.
In comparison to the former Data Protection Directive, the GDPR has increased penalties for non-compliance. Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.
All organizations, including small to medium-sized companies and large enterprises, must be aware of all GDPR requirements and be prepared to comply by May 2018. By beginning to implement data protection policies and solutions now, companies will be in a much better position to achieve GDPR compliance when it takes effect. For many of these companies, the first step in complying with GDPR is to designate a data protection officer to build a data protection program that meets the GDPR requirements.
The General Data Protection Regulation not only applies to businesses in the EU; all businesses marketing services or goods to EU citizens should be preparing to comply with GDPR as well. By complying with GDPR requirements, businesses will benefit from avoiding costly penalties while improving customer data protection and trust.
Intraway supports organizations quickly operationalize GDPR concepts, protect consumers’ personal data, and remain compliant.
The General Data Protection Regulations will give people stronger rights to know how their information is used
- GDPR stands for the General Data Protection Regulation which will become law across the EU in May 2018
- The new legislation will replace extremely outdated data protection regulation. The current legislation was last amended in 2003, before many of the most ubiquitous holders of personal data – Facebook, Instagram, Twitter – were even created.
- All companies across the EU are subject to the rules. If you hold any consumer data that could identify a person, you must handle it carefully and legally.
- This does not just include passwords, pin numbers or dates of birth – it includes location data, social security numbers, IP address, email addresses, as well as details on physical characteristics such as age, race, physical attributes, gender and many others.
- Even if you are not responsible for a leak or unintended sharing with unauthorised parties of consumers personal data – for instance, if your companies database is hacked – you could still be legally liable for significant fines, even if a third party illegally exposes personal details of others.
- The new laws will also codify how and when consumers can ask for their data to be transferred to a third party or destroyed.
- Consent is a cornerstone for the new regulations and will require higher standards than the current ‘tick-box’ method for requesting access to share or store consumers data.
- Crucially, consent must be capable of being withdrawn at any time by the individual with the same level of ease as how they gave their consent. No company has a right to an EU citizens personal data forever if they give permission on one occasion.
- The new regulations will require quite a bit of work on the part of companies to adapt to, but are designed to make rules more straight-forward for businesses as well as protecting consumers – it is estimated that the new code could save EU more than €2bn collectively on an annual basis.
- GDPR does not just level the playing field within the EU – companies outside of the EU are also subject to the regulation if they store any data relating to EU citizens.