What is GDPR?
General Data Protection Regulation. It replaces local EU Data Protection Directive implementations. The regulation is a new set of rules designed to give EU citizens more control over their personal data. It aims to simplify the regulatory environment for business so both citizens and businesses in the European Union can fully benefit from the digital economy. It was formulated to reform the way personal data, privacy and consent across Europe are being handled.
What is GDPR compliance?
Data breaches inevitably happen. Information gets lost, stolen or otherwise released into the hands of people who were never intended to see it — and those people often have malicious intent. Under the terms of GDPR, not only will organisations have to ensure that personal data is gathered legally and under strict conditions, but those who collect and manage it will be obliged to protect it from misuse and exploitation, as well as to respect the rights of data owners – or face penalties for not doing so.
Who Should Comply?
GDPR applies to any organisation operating within the EU, as well as any organisations outside of the EU, which offer goods or services to customers or businesses in the EU. That ultimately means that almost every major corporation in the world will need to be ready when GDPR comes into effect, and must start working on their GDPR compliance strategy.
There are two different types of data-handlers the legislation applies to, namely ‘processors’ and ‘controllers’.
A controller is “person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data”, while the processor is “person, public authority, agency or other body which processes personal data on behalf of the controller”. If you are currently subject to the UK’s Data Protection Act, for example, it’s likely you will have to look at GDPR compliance too. GDPR ultimately places legal obligations on a processor to maintain records of personal data and how it is processed, providing a much higher level of legal liability should the organisation be breached. Controllers will also be forced to ensure that all contracts with processors are in compliance with GDPR.
What are the Penalties?
The following sanctions can be imposed whenever there is a breach with the provisions of the regulation:
- a warning in writing in cases of first and non-intentional noncompliance;
- regular periodic data protection audits expected otherwise would be sanctioned;
- a fine up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater, if there has been an infringements on:
- the obligations of the controller and the processor;
- the obligations of the certification body;
- the obligations of the monitoring body;
- the basic principles for processing, including conditions for consent;
- the data subjects’ rights;
- the transfers of personal data to a recipient in a third country or an international organisation;
- any obligations pursuant to member state law adopted under Chapter IX
- noncompliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority or failure to provide access in violation of Article 58(1)
It is worthy of note that data subjects (data owners) can claim compensation for damages from breaches to their personal data.
What is personal data under the GDPR?
The types of data considered personal under the existing legislation include name, address, and photos. GDPR extends the definition of personal data so that something like an IP address can be personal data. It also includes sensitive personal data such as genetic data, and biometric data, which could be processed to uniquely identify an individual.
When does GDPR come into force?
GDPR will apply across the European Union from 25 May 2018, and all member nations are expected to have transferred it into their own national law by 6 May 2018. Following four years of preparation and debate, the European Parliament approved GDPR in April 2016 and the official texts and regulation of the directive were published in all of the official languages of the EU in May 2016.
What is the GCPR compliance deadline?
As of 25 May 2018, all organisations are expected to be compliant with GDPR.
What does GDPR mean for businesses?
GDPR establishes one law across the EU and a single set of rules, which apply to companies doing business within EU member states. This means the reach of the legislation extends further than the borders of Europe itself, as international organisations based outside the region but with activity on ‘European soil’ will still need to comply.
GDPR enforcement will guarantee data protection. Safeguards will be built into products and services from the earliest stage of development, providing ‘data protection by design’ in new products and technologies. Organisations will also be encouraged to adopt techniques like ‘pseudonymization’ in order to benefit from collecting and analysing personal data, while the privacy of their customers is protected at the same time.
What does GDPR mean for consumers/citizens?
Because of the sheer number of data breaches and hacks which have occurred over the years, the unfortunate reality for many is that some of their data — be it an email address, password, social security number, or confidential health records — has been exposed on the internet.
One of the major changes GDPR will bring is providing consumers with a right to know when their data has been hacked. Organisations will be required to notify the appropriate national bodies as soon as possible in order to ensure EU citizens can respond appropriately to prevent their data from being abused.
Consumers are also promised easier access to their own personal data in terms of how it is processed, with organisations told that they need to detail how they use customer information in a clear and understandable way. Customer should have an easy way of opting out of their details being on a mailing list. Meanwhile, some other sectors have been warned that they have a lot more to do in order to ensure GDPR compliance – especially when consent is involved.
GDPR is also set to bring a clarified ‘right to be forgotten’ process, which provides additional rights and freedoms to people who no longer want their personal data processed to have it deleted, providing there’s no grounds for retaining it.
Organisations will need to keep these consumer rights in mind once GDPR comes into force.
What are the main areas of focus counting down to May 25, 2018?
- Breach Notification – Evaluation of GDPR relevant security controls Report Privacy breaches to the EU regulator within 72 hours and potentially to the data subject. On target to have compliant process in place by May week 1, 2018.
- Vendor Risk – Evaluate vendor contracts and controls for adequacy to protect data subject data. Put in place a formal Vendor Risk program – identify key vendors and create data processing process for vendors by May week 2, 2018.
- Consent – Requirement to gain unambiguous consent by May week 2, 2018.
- Privacy By Design & By Default – Updating existing SDLC and system procedures and policies to incorporate privacy and security into normal processes. ACTION: Update SDLC processes to include privacy and security in all system and application development processes by May week 2, 2018.
- Data Protection Officer (DPO) – Delegate someone with the role of DPO to conduct regular and systematic monitoring of data subjects on a large scale or process Special Categories of data (e.g., healthcare, online service customer data) on a large scale by May week 3, 2018.
- Data Security – Put in place requirements to secure systems and data with best practice security programs by May week 3, 2018.
- Data Subject’s Rights – Develop ability to accept requests and respond for “the right to know”, “right of erasure” (“right to be forgotten”) and the “right to data portability”. Activate on your portal to accept requests or apply terms compliant to GDPR by May week 3, 2018.
- Legal Basis for Processing – Legal Basis for all processing activities being determined. Put in place all processing activities to determine appropriate lawful basis by May week 3, 2018.
- Records of Processing Activity – Document all processing activities by May week 3, 2018.
Mitiget is providing GDPR subject matter expertise services. We have conducted data discovery, mapping and data inventories as well as the Records of Processing Activities. In addition, they are performing a GDPR Readiness Assessment to determine organisations gaps to reaching compliance. Finally, Mitiget is providing valuable guidance and advice as organisations continue efforts towards GDPR compliance.
Mitiget is an integrated business risk solutions and IT assurance provider. We assist organisations in mitigating the risks associated with internal systems, business processes, projects, applications, data and third-party reliance. Our cybersecurity and data centre services are the most cost-effective in our space today. Mitiget’s ISO certification processes are tailored to embed relevant culture to business processes for continual improvement. We are experts at improving compliance postures across industries.