The European Union’s General Data Protection Regulation (GDPR) has been adopted and goes into effect on May 25, 2018. That may not feel soon to some, but given the complexity and nuances of the regulation, that date really is just around the corner.
Know Your Data
Many organizations in Europe are already requesting more insight into the GDPR to help them avoid the substantial potential penalties (fines of up to 20 million euros or 4 percent of worldwide annual turnover per incident) for violating the GDPR compliance requirements.
Countless organizations outside the EU, however, are completely unaware that the GDPR may also apply to them. Why? Because the GDPR applies to any business that holds data about or markets to persons within the EU. Fortune 500 businesses and others, beware.
Begin your education now! Learn what you need to know, think about what the regulation means, consider its implications and prepare your business for success.
Data Subjects, Controllers and Processors
Per the GDPR, Data Subjects — which include end users, customers and employees, among others — have the right to make a claim if their Personal Data is not protected in compliance with the GDPR regulations. Further, EU regulators have a right to impose huge fines for violations.
Data Protection is a key concern for businesses, and the GDPR creates more obligation and liability for Data Processors and Controllers. For these reasons, it’s important to consider some general Data Protection best practices to help think through the activities Data Controllers and Data Processors will need to adopt to prepare for the GDPR — including the who, what, when, where and how of Personal Data.
Three Goals of the GDPR
Before we talk about requirements, let’s set the context by considering the very important goals of the GDPR and clarify what is meant by Personal Data. The GDPR’s three main goals are:
- To ensure protection of the fundamental privacy rights of Data Subjects (e.g., ensuring the security and confidentiality of Personal Data, but also ensuring proper notice, choice, right of access, rectification and erasure, just to name a few);
- To update the privacy laws so that they reflect and keep pace with the way the technology landscape has changed over the last 20 years; and
- To unify the 28 disparate privacy laws of the EU member states.
Within that framework, Personal Data is information about an individual. It can be any data related to you: personal identification; location data; biometric, physical, physiological, genetic or mental health data; economic, cultural or religious sentiment data; social, political or gender preference data; and more.
Data Protection Requirements
People and businesses are now paying avid attention to the GDPR requirements because of the heavy fines that go along with violating the regulation. Below, I will focus on some key requirements for processing Personal Data:
1. Condition for Consent
This requirement mandates that Controllers have the consent of Data Subjects to process their Personal Data, with some exceptions. Controllers should also be able to provide proof of consent for all their Data Subjects. Data Subjects have the right to withdraw their consent at any time, and consent is limited to specific purposes. It doesn’t apply more broadly and use needs to cease as soon as the specific purpose is met.
Data Subjects also have the right to request documentation about their Personal Data processing, and the Controller and Processor need to be able to provide this.
2. Right to Access and to Obtain Data for the Data Subject
Data Subjects have the right to request access to information held about them and be provided with detailed documentation, in plain and simple language and in electronic form, from the Controller. This should describe what information is held, how Personal Data is being accessed, the purpose of the access, where it is being accessed, what categories of Personal Data are being accessed and who has access. The Controller needs to provide all these details.
3. Right to Erasure
Data Subjects have the right to request the erasure of their own Personal Data if certain conditions are met. That is, they can request the deletion of Personal Data if they do not wish to allow the Processor or Controller to use it. The Controllers should be able to carry out the erasure without delay and provide documented proof that the Personal Data was removed. This gives the power to the Data Subject on whether Personal Data is or is not used. This right only applies to the Data Subject’s information.
4. Right to Rectification, Object and Profiling
Data Subjects have the right to request that the Controller correct their Personal Data if it is inaccurate. Data Subjects also have the right to object to profiling that has the effect of discriminating against individuals on the basis of race, ethnic origin, political opinions, religious beliefs, sexual orientation or gender identity, trade union membership, etc.
The GDPR Brings Big Changes
In addition to the above requirements, the GDPR also included some big changes of which organizations should be aware. These are all highly impactful changes that will impact the organizations that are preparing for May 2018.
Some of the biggest changes and innovations include: the Data Breach Notification requirements; the obligatory appointment of Data Protection Officers; the obligatory Data Protection Impact Assessment; the new obligations that apply to Data Processors; and the obligatory use of Data Protection by Design.
For clarification purposes, Data Protection includes both Privacy and Security. Therefore, Data Protection Impact Assessment means both Privacy Impact Assessment and Security Impact Assessment, and Data Protection by Design means both Privacy by Design and Security by Design.
To be in a position to meet the GDPR requirements, organizations should start getting educated now. Some requirements are relatively simple to meet but others, such as enabling systems to support the right to be forgotten, will be more difficult to achieve since they require business process changes.
Beginning the education process and starting to think through how and what it will take to meet the GDPR requirements should be the first logical step on the path toward embracing the GDPR.
Organizations should assess their Personal Data landscape, including where it is stored and how it is accessed, and gain a better holistic understanding of the GDPR requirements. Only then can they move forward and begin considering which technologies they will need to install to support the GDPR. Then they can determine what their deployment road map will need to look like to successfully prepare for May 2018.