Europe’s General Data Protection Regulation – comes into effect May 25, 2018, bringing with it new rules around data collection, storage and usage.
With data breaches making headlines on a regular basis, consumers are rightfully wondering how data is being collected, stored and used. The General Data Protection Regulation (or “GDPR”) is the European Union’s attempt at tackling this issue with a new rules around the collection, storage and processing of the information of EU Data Subjects – including end users, customers, and employees.
GDPR goes into effect May 25, 2018, and the penalties for GDPR non-compliance can amount to up to €20 million, or four percent annual global turnover – whichever is higher.
It’s very important to ensure your organization is compliant and this post will help you understand how to get your data under control before the GDPR deadline.
The Rationale Behind GDPR
For a moment, let’s not think about the harsh penalties. At its core, think of GDPR being about ensuring companies know what data they’re collecting, that they’re using secure methods to collect and store data, and that customer data is being used in reasonable and intended ways. These are all really good things.
The benefits for companies go beyond just minimizing organizational and legal risks according to Hilary Wandall, Chief Data Governance Officer of technology compliance and security company TrustArc. Companies with “their finger on the pulse of their data on a real-time basis can produce real competitive advantage,” she said. And if they don’t comply, there could be serious consequences beyond just fines: “any company that seriously falters with GDPR compliance may soon find that other companies no longer view them as a reliable business partner.”
Many companies have grown accustomed to collecting customer data whether for reasons such as advertising or to optimize services. Preparing for GDPR means assessing your current data privacy structure and discovering where protected information is located in your enterprise.
What Personal Data Applies?
The GDPR definition of “personal data” means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier – including name, identification number, location data or online identifier. And there are further “categories of personal data specification” for sensitive personal data including genetic data, and biometric data that are processed to uniquely identify an individual.
Even personal data that has been pseudonymised can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
For more information on what counts as personal data, see Article 9.
Guidelines for Getting Your Data Under Control
While GDPR can seem overwhelming, here are a few guidelines that will help you make your data privacy plan work:
Awareness and responsibilities: Before anything else, key people in the organization need to know about the GDPR and appreciate the impact it could have. The organization can then designate Data Protection Officers to be responsible for data protection compliance.
Audit the information you hold: Assess the current state of your security practices, and identify gaps and design security controls around the personal data you hold and if it’s shared with other individuals and systems. Under Article 30 of the GDPR requires companies to produce a variety of reports demonstrating compliance, and the systems and countries where data resides, and how different parties are processing that data. Discover and prioritize vulnerabilities.
Assign data protection officers: Designate someone to be responsible for data protection compliance and give them the needed authority within the organisation’s structure and governance.
User rights to data and data removal: For incoming requests, check your procedures for deleting personal data or providing data in a commonly used format to ensure they cover all the rights individuals have. You should update your procedures and plan how to handle requests within the new timeframes.
Communication of privacy information and consent: Review your current privacy notices and how you seek, record and manage consent, and refresh them if they don’t meet the GDPR standard. For children, you may need to verify age and/or obtain consent from a parental or guardian for any data processing activity.
Establish the lawfulness of your data processing practices: Identify how your processing activity fits into the GDPR, then document it and update your privacy notice to explain it.
What happens in a data breach: Assess your procedures to detect, report and investigate a personal data breach.
International jurisdictional issues: Where an alleged breach of the GDPR involves cross-border data processing, investigations will be led by a lead data protection supervisory authority (or “LSA”). If your organisation operates in more than one EU member state, you can determine your LSA.
Putting Control & Privacy at the Core of Your Data Practices Prepares you for New Regulations
While privacy and data protection compliance is often thought of as an afterthought, “privacy by design” is an approach that’s becoming popular and it involves promoting data privacy best practices from the very start. GDPR doesn’t require this approach, but it could help better ensure that new services are compliant.
The bottomline is that good data practices ensure that your organization knows what data it’s collecting, how it’s being used, and what risks it poses. And it also helps an organization leverage personal data in ways that are responsible and that benefit the business – which should be the reason for collecting the data in the first place.
If you’re struggling with GDPR, there’s still time! One of the ways we can help is through our GDPR consulting service, which we designed to make it quick, easy and cost-effective for companies to become compliant.CONTACT US TODAY