GDPR – It’s an acronym that is already beginning to be a little better known: The General Data Protection Regulation is a new regulation issued by the European Commission whose primary objective is to harmonize the protection of personal data legislation throughout Europe. But it does more than that… it will be the future reference regarding data protection.
This regulation, which is already in force, includes a two year period for preparation to be compliant. In practice, it means that by May 2018, the overwhelming majority of companies will have to comply with the GDPR. The GDPR brings several new rights for individuals and with this, new obligations for companies.
One of the main results of this reform in European law is the strengthening of citizens control over their personal data, whether given to private, professional or public life. This means that if you are a citizen of the European Union, you will have more control over information such as your name, photos, email addresses, bank information, medical information, messages posted on social networks or your computer’s IP address. All citizens have the right to know how their data is being used as well as the right to have their data completely deleted if requested to do so.
Who is subject to GDPR Compliance?
The rules will apply to all companies offering products and services to European consumers regardless of whether their servers are located inside or outside the EU, and while the rules are cross-cutting across all business sectors, companies that handle sensitive data, such as the financial and health sector, electronic communications operators, and anyone who engages in marketing activities that include profiling, will be subject to more restrictive measures.
These companies that process EU data need to implement control tools and specific procedures for the management and protection of their customers and employees data.
This applies to all organizations, both private and public, at the risk of fines up to €20 million or 4% of their annual global turnover if they fail to meet their obligations.
Thinking about these changes, Google has already created a web form so anyone can ask that some of the results with their name may “disappear” from their search engine.
Key points about the GDPR:
-
The GDPR is already in force but has a two-year preparation period, so in May 2018 your organization must be in compliance. The fines may reach EUR 20 million or 4% of the overall turnover for non-compliant undertakings.
-
The aim of GDPR is to “harmonize” data protection legislation across the EU and to eliminate differences between EU legal regimes;
-
According to GDPR “personal data” is all information that allows, directly or indirectly, the identification of an individual, including location data and identifiers by electronic means like for example IP addresses.
-
The correct application of GDPR may require the appointment of a Data Protection Officer (DPO) and a technical team with technological and new legislation know-how;
-
Companies are obliged to report any data breach or loss of information to the competent authorities within 72 hours;
-
The concept of Privacy and Data Protection from the Design and by default – the privacy and security associated with it must be considered at the design stage, be it processes or technological applications and systems.
GDPR gives you the power to:
-
Easily access, rectify and control your personal data;
-
Transfer your data from one service provider to another (data portability);
-
Request a company to delete your personal data (the “right to forget”);
-
Know when your data has been subject to security breaches.
What needs to change in your company?
The new legal framework brings a series of changes that will have different impacts on organizations lives. These impacts vary according to the sector of activity, size, and process of processing personal data made by organizations.
It’s up to each organization to define or update its processes, involving in this work several areas, such as the Legal Department, Marketing or IT areas.
Your company will, for example, have to ensure that:
-
It complies with the regulation.
-
Has explicit and valid consent for all the data it stores.
-
It has in place processes that allow you to deal with the changes.
-
It ensures that privacy policies are presented in a clear manner.
-
Appoints a Data Protection Officer in case the law applies to its structure.
Technological measures that should be implemented.
It is very important to implement a series of technological measures like:
-
Implement intrusion detection systems;
-
Ensure the functioning of an authentication and security system for access to networks;
-
Implement a backup system;
-
Encrypt all emails that contain lists of personal data;
-
Encrypt all devices that contain personal data. This includes computers, smartphones, tablets and USB pens;
-
Ensure encryption of information in cloud services.
If you’re in charge of a company that you think will be affected by this Regulation, a good way to know you´re on the right path regarding this matter is to ask yourself this question: in your company, do you know what personal data are being processed (whether from customers or employees), what is the purpose of that treatment and where does that information reside?
If the answer is a confident Yes, you are well on your way to finishing whatever still lacks to comply with the GDPR. If the answer is shaky or simply an honest No… it’s time to look at privacy with other eyes and put the GDPR at the top of your priorities.