The European Union (EU) will begin enforcing General Data Protection Regulation (GDPR) on May 25, 2018. At which time, if you collect and/or process personal data that belongs to citizens in the EU, you may be at risk for hefty fines for noncompliance.
The GDPR, which replaces the Data Protection Directive 95/46/EC, is designed to harmonize data privacy laws across Europe, protect the data privacy of EU citizens, and to reshape the way organizations approach data privacy. Under the GDP, organizations are encouraged to “give back” control of personal data to the individual, by making it easier for individuals to discover whether the organization is processing their personal data and to easily change the permissions they granted for using or sharing that personal data.
Penalties for Noncompliance
There is a tiered approach to fines. For example, an organization can be fined 2% of their global annual turnover for not having their records in order, failing to notify authorities and affected customers about a breach, or not conducting impact assessments. Fines up to 4% of annual global turnover can be levied for breaching GDPR, up to €20 Million, for the most serious infringements, such as not obtaining customer consent to process data or violating core Privacy by Design concepts. These rules apply to both controllers and processors, so clouds are not exempt from GDPR enforcement.
GDPR is not a something you can just “do once and forget it”. Maintaining compliance will require constant vigilance and periodic upgrades. GDPR may also require organizations to make substantial investments in technology, fundamentally changing the way they conduct their business, and develop new capabilities for controlling and managing every bit of personal information stored within their systems.
Key points of the new regulations include:
- Consent: Consent must be clear and distinguishable and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
- Breach Notification: Breach notification is mandatory where a data breach is likely to “result in a risk for the rights and freedoms of individuals.” Breach notification is required within 72 hours of the time you first become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.
- Right to Access: Any individual has the right to obtain confirmation as to whether their personal data is being processed, where it is stored and processed, and what it is being used for. Additionally, organizations are required to provide a copy of the individual’s personal data, free of charge, upon request.
- Right to be Forgotten: Also known as Data Erasure, entitles the individual to have their personal data erased, prevent further dissemination of their data, and potentially have third parties halt processing of their data.
- Data Portability: GDPR introduces data portability – the right for an individual to receive the personal data concerning them, which they have previously provided in a ‘commonly use and machine-readable format’ and have the right to transmit that data to another controller.
- Privacy by Design: Privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. It entails implementing appropriate technical and organizational measures to protect the rights of individuals. Privacy by design requires organizations to hold and process only the data absolutely necessary for the completion of its duties. It also limits access to personal data only to those performing the processing.
- Data Protection Officers: Appointing a Data Protection Officer (DPO) for your organization is mandatory under GDPR. Duties and qualifications of the DPO include:
- Expertise in data protection law and practices
- A member of your organization or an external service provider
- Their contact details must be provided to the relevant DPA
- Must have the appropriate resources to carry out their tasks and maintain their expert knowledge
- Must report directly to the highest level of management
- Must NOT engage in tasks that could result in a conflict of interest
Are You Ready for GDPR Compliance?
The time to start implementing your data governance program is now. Cerium can help you develop an effective GDPR compliance strategy to meet the requirements. If you collect or process personal data of EU citizens, contact Cerium to learn about implementing processes and systems for protecting this data under the GDPR.