Light Dark
August 15, 2016 By Vikalp Paliwal 4 min read
Data Protection

The European Union’s General Data Protection Regulation (GDPR) has been adopted and goes into effect on May 25, 2018. That may not feel soon to some, but given the complexity and nuances of the regulation, that date really is just around the corner.

Know Your Data

Many organizations in Europe are already requesting more insight into the GDPR to help them avoid the substantial potential penalties (fines of up to 20 million euros or 4 percent of worldwide annual turnover per incident) for violating the GDPR compliance requirements.

Countless organizations outside the EU, however, are completely unaware that the GDPR may also apply to them. Why? Because the GDPR applies to any business that holds data about or markets to persons within the EU. Fortune 500 businesses and others, beware.

Begin your education now! Learn what you need to know, think about what the regulation means, consider its implications and prepare your business for success.

Data Subjects, Controllers and Processors

Per the GDPR, Data Subjects — which include end users, customers and employees, among others — have the right to make a claim if their Personal Data is not protected in compliance with the GDPR regulations. Further, EU regulators have a right to impose huge fines for violations.

Data Protection is a key concern for businesses, and the GDPR creates more obligation and liability for Data Processors and Controllers. For these reasons, it’s important to consider some general Data Protection best practices to help think through the activities Data Controllers and Data Processors will need to adopt to prepare for the GDPR — including the who, what, when, where and how of Personal Data.

Read the Interactive Solution Brief: Ready, Set, GDPR

Three Goals of the GDPR

Before we talk about requirements, let’s set the context by considering the very important goals of the GDPR and clarify what is meant by Personal Data. The GDPR’s three main goals are:

  1. To ensure protection of the fundamental privacy rights of Data Subjects (e.g., ensuring the security and confidentiality of Personal Data, but also ensuring proper notice, choice, right of access, rectification and erasure, just to name a few);
  2. To update the privacy laws so that they reflect and keep pace with the way the technology landscape has changed over the last 20 years; and
  3. To unify the 28 disparate privacy laws of the EU member states.

Within that framework, Personal Data is information about an individual. It can be any data related to you: personal identification; location data; biometric, physical, physiological, genetic or mental health data; economic, cultural or religious sentiment data; social, political or gender preference data; and more.

Data Protection Requirements

People and businesses are now paying avid attention to the GDPR requirements because of the heavy fines that go along with violating the regulation. Below, I will focus on some key requirements for processing Personal Data:

1. Condition for Consent

This requirement mandates that Controllers have the consent of Data Subjects to process their Personal Data, with some exceptions. Controllers should also be able to provide proof of consent for all their Data Subjects. Data Subjects have the right to withdraw their consent at any time, and consent is limited to specific purposes. It doesn’t apply more broadly and use needs to cease as soon as the specific purpose is met.

Data Subjects also have the right to request documentation about their Personal Data processing, and the Controller and Processor need to be able to provide this.

2. Right to Access and to Obtain Data for the Data Subject

Data Subjects have the right to request access to information held about them and be provided with detailed documentation, in plain and simple language and in electronic form, from the Controller. This should describe what information is held, how Personal Data is being accessed, the purpose of the access, where it is being accessed, what categories of Personal Data are being accessed and who has access. The Controller needs to provide all these details.

3. Right to Erasure

Data Subjects have the right to request the erasure of their own Personal Data if certain conditions are met. That is, they can request the deletion of Personal Data if they do not wish to allow the Processor or Controller to use it. The Controllers should be able to carry out the erasure without delay and provide documented proof that the Personal Data was removed. This gives the power to the Data Subject on whether Personal Data is or is not used. This right only applies to the Data Subject’s information.

4. Right to Rectification, Object and Profiling

Data Subjects have the right to request that the Controller correct their Personal Data if it is inaccurate. Data Subjects also have the right to object to profiling that has the effect of discriminating against individuals on the basis of race, ethnic origin, political opinions, religious beliefs, sexual orientation or gender identity, trade union membership, etc.

The GDPR Brings Big Changes

In addition to the above requirements, the GDPR also included some big changes of which organizations should be aware. These are all highly impactful changes that will impact the organizations that are preparing for May 2018.

Some of the biggest changes and innovations include: the Data Breach Notification requirements; the obligatory appointment of Data Protection Officers; the obligatory Data Protection Impact Assessment; the new obligations that apply to Data Processors; and the obligatory use of Data Protection by Design.

For clarification purposes, Data Protection includes both Privacy and Security. Therefore, Data Protection Impact Assessment means both Privacy Impact Assessment and Security Impact Assessment, and Data Protection by Design means both Privacy by Design and Security by Design.

Get Educated

To be in a position to meet the GDPR requirements, organizations should start getting educated now. Some requirements are relatively simple to meet but others, such as enabling systems to support the right to be forgotten, will be more difficult to achieve since they require business process changes.

Beginning the education process and starting to think through how and what it will take to meet the GDPR requirements should be the first logical step on the path toward embracing the GDPR.

Organizations should assess their Personal Data landscape, including where it is stored and how it is accessed, and gain a better holistic understanding of the GDPR requirements. Only then can they move forward and begin considering which technologies they will need to install to support the GDPR. Then they can determine what their deployment road map will need to look like to successfully prepare for May 2018.

Read the Interactive Solution Brief: Ready, Set, GDPR

 |  |  |  | 
Vikalp Paliwal
Product Manager, IBM Security – Guardium

More from Data Protection
December 20, 2024

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

December 3, 2024

Third-party access: The overlooked risk to your data protection plan

3 min read - A recent IBM Cost of a Data Breach report reveals a startling statistic: Only 42% of companies discover breaches through their own security teams. This highlights a significant blind spot, especially when it comes to external partners and vendors. The financial stakes are steep. On average, a data breach affecting multiple environments costs a whopping $4.88 million. A major breach at a telecommunications provider in January 2023 served as a stark reminder of the risks associated with third-party relationships. In…

November 19, 2024

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature