This is the first part of our series of articles on the GDPR regulation that will come into effect on May 25th 2018.
Data protection is such an important issue in the digital society we live in that the European Union decided to completely review and change the existing 20-year-old regulation.
There have been more and more massive data breaches and online data leaks that not only hurt companies, but also customers and users as their personal information is made available for cybercriminals to take advantage of. The increase of events like this showed clearly that it was needed to take action.
As a result, a new and broad set of rights and principles governing the protection and use of data from all individuals within the EU was defined in the General Data Protection Regulation (GDPR), which will be put into effect on May 25th 2018.
The main goal of this new regulation is to guide and regulate the way companies, across all sectors and industries, handle their customers' personal information in order to provide strong and uniform data protection, which includes heavy fines for noncompliance and rapid breach notification requirements.
Most of the companies and organisations worldwide are expected to be affected by this new regulation. Therefore, it’s time to understand the scope of these changes, how they’ll affect your business and to determine what your company needs to do to be compliant.
To help you assure that your company is GDPR ready we outline the key changes enforced by this new regulation:
This regulation also applies to companies located outside EU territory if they process or store personal data from EU citizens.
Companies that are non-compliant will be fined according to the scope and type of their infringement. The fines can go up to 4% of worldwide revenue in case of extreme violations.
The new regulation determines that explicit, informed and unambiguous consent must be given for data processing. To obtain citizen’s consent, companies must clearly state what data is being processed, how it is being processed and if it will be shared with other companies.
With GDPR, EU citizens can ask a company to delete all their personal data under the claim of withdrawal of consent or if the data is no longer relevant to the original purposes of processing, for example. However, this right to data deletion is not guaranteed and is subject to public interest or national security concerns.
In the event of a data breach, companies will have to notify both EU authorities and the citizens affected within 72 hours. This will be mandatory for both data controllers (companies) and data processors (entities that processes the data for the companies).
As GDPR intends to reinforce data protection for EU citizens, it also determines their right to require information from companies about how and where their personal data is being processed, object or restrict certain processing for direct marketing purposes, access the data in certain circumstances and correct data which is wrong. Companies will also be obliged to provide a copy of the customer’s personal data at their request, free of charge and in a commonly used format so that it can easily be transferred to another data controller.
The GDPR requires data protection to be considered as a key element of any system design so that the strictest privacy settings automatically apply once a customer acquires a new product or service without the need to the user to manually do it. The new regulation includes accountability obligations on data controllers such as requiring them to maintain certain documentation, conduct a data protection impact assessment for more risky processing and implement data protection by design and by default, to demonstrate compliance.
In certain circumstances, some companies (including public authorities and large-scale data processing firms) will be required to formally designate a Data Protection Officer (DPO). The DPO will be responsible for supporting an organisation’s compliance with the GDPR, acting as an intermediary between the organisation and supervisory authorities, data subjects, etc. Depending on the data processing activities for which the officer will be responsible, the DPO may be employed or under a service contract but they must, in both cases, have the expert knowledge, support and authority to carry out their role effectively. They also should be located in the EU and should report directly to the highest management level.
Given that we are just a few months away from GDPR enforcement, now is the time to check if you’re right on track with the adoption of the new data protection rules and if your company meets the requirements to be in compliance.
Thanks for reading and see you next time!
Your team here at skeeled