A question that many companies need to answer until May 25th of 2018… Is your company ready for GDPR?
What is General Data Protection Regulation (GDPR)?
GDPR is an EU’s regulation regarding handling personal data. This new regulation replaced the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe. GDPR was approved by the EU Parliament on 14 April 2016. Enforcement date is 25 May 2018. GDPR is a regulation that will replace Data Protection Directive 95/46/EC in EU for data privacy. GDPR is a broader regulation from the previous directive. Even the main principles of data privacy are included in this new regulation, in GDPR many changes and policies have been added to improve personal data protection.
In resume, GDPR was designed to reconcile data privacy laws across EU countries, but at the same time to provide more protection and rights to EU citizens. GDPR applies to customers but also to companies employees.
The GDPR applies to EU based companies and companies that collect data of EU citizens, regardless of their physical presence in the country. How can EU enforce outside EU companies to comply with GDPR and follow the data protection rules to handle EU citizen personal data, is something that is not very clear yet.
Note: GDPR is a regulation, not a directive. Regulation is mandatory and an automatic regulation/law in all EU countries, a directive is set to implemented or adapt to Member States legislation.
What type of data is protected?
To answer the question, Is your company ready for GDPR, you need to understand GDPR and which data is to be protected and handled.
All personal data from any citizen from EU. Personal data includes names, addresses, phone numbers, account numbers, and in this new regulation email and IP addresses. Those type of data is typically called personally identifiable information (PII), mainly in States. Here European Union just used the term “personal data” for PII. Which is a wider scope of personal data. But EU and US have many differences for their privacy laws. EU the privacy is hailed as a fundamental right, and US those laws can be balancing between privacy and efficient commercial transactions. For example in US Cookies IDs and IP addresses is not considered as personal data in some cases.
The EU approach defines PII to encompass all information identifiable to a person, a definition that can be quite broad and vague. This divergence is so basic that it threatens the stability of existing policy mechanisms for permitting international data flows
Even for standard Internet forms pages, companies rules have been changed, and now some information needs to be added to those forms to collect data or to consent personal data.
One example is that when companies inform that they can share your date with their partners, they are obligated to identify by name which partners and also the right to redraw that consent.
Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
What companies need to implement?
Preparation for the GDPR is complex and requires internal or external experts to prepare business. To comply with GDPR regulations companies will have a financial impact on their budgets. Since there are many changes, the way of working and rules companies needs to many changes implement to handle personal data and be compliant with the regulation.
Some of this changes in business are just at organization level (like DPO or Data Breach Notifications), but many of this changes must be done at a technical level and how business handle data (like Right to Forgotten, Privacy by Design, Data portability or Pseudonymisation).
When a business deal with personal data these are the main questions for privacy and GDPR rules:
- What data do we have?
- Where does the data go?
- How is the data protected?
- Who is accountable?
After above questions are answered, then you need to deal with that data, and you need to make the appropriated changes in your organization to fully comply the next GDPR rules.
- Data Protection Officer (DPO)
The company should designate someone to take responsibility for monitor compliance with the GDPR and other applicable data protection laws and be the point of contact between business and EU (Local Data Protection Authorities – DPA) for GDPR.
A DPO should have management skills but also have expertise in data protection laws (GDPR) and can work with internal staff at all levels. Is DPO task to ensure company data complies with GDPR rules.
DPO Must: Be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices.
May be a staff member or an external service provider.
Contact details must be provided to the relevant Data Protection Authorities (DPA).
Be provided with appropriate resources to carry out their tasks and maintain their expert knowledge.
Report directly to the highest level of management.
Not carry out any other tasks that could results in a conflict of interest.
Note: Be aware that “For public authorities, and companies processing large amounts of special categories of personal data, the appointment of a data protection officer (DPO) is mandatory.”
- Right of access
The right of access gives a citizen the right to access their personal data and how that data is handle or processed by the Data Controller and for what purpose. Data Controller needs to provide a copy of the personal data upon on request free of charge in an electronic format.
Meaning, that a citizen always has the right to access their personal information from the companies that handle their personal information and have the right to know how that data is handled and what for purposes.
- Right to be Forgotten
This is one of the more famous rules because of many requests from individuals that had this type of claims mainly to Google or Facebook.
This right was changed to a more limited right in compared to the adopted by the European Parliament in March 2014. Means that an individual has the right to request to erase their personal data regardless company interests. But at the same time, it states: “It should also be noted that this right requires controllers to compare the subjects’ rights to “the public interest in the availability of the data” when considering such requests.”
- Data breach notifications
When a business suffers a data breach, the business must report within 72 hours of first having become an aware breach of the protection authority (should be done by DPO). Customers must also be notified within 72 hours if customer data is at risk.
- Privacy by Design (PbD)
Privacy by design is a concept that is well known in the IT area and business. Mainly is a process or mechanism that make sure that personal data is only accessed or processed when is necessary. An example in public domain is personal data regarding citizen taxes and personal data. This information should not be accessed by anyone unless there is a reason to do so. No one should access this data to have access to this type of data just by curiosity or other non-legal intentions.
- Data portability
The right to move data from one Data Controller to another, without the refusal by the Data Controller. Companies need to provide to individual or Data Processor the personal data in a structured and commonly standard readable format.Meaning, that any individual has the right to move their data as it is in a company to another company without the source company have the right to refuse that request.
This strange word is regarding encryption and encryption keys. Most of the companies encrypt their data and is not possible to decrypt the same data outside of their systems. By doing this is technically impossible to an individual the right to access data without the decrypted key. To prevent this, GDPR requires that this additional information (such as the decryption key) be kept separately from the pseudonymized data.
Data Controller – Individual or identity who controls and is responsible for the keeping the personal data. Can be either individuals or “legal persons” such as companies or Government Departments.
Data Processor – A natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller. The concept of a “processor” does not change under the GDPR. Any entity that is a processor under the Directive likely continues to be a processor under the GDPR.
These are the main changes that your company need to comply and will need to handle in the future after GDPR is officially out.
Not comply with any of these rules (these are just the primary rules, full GDPR have 99 articles, so your company should comply to all) will bring to you and your company huge fines.
Those penalties are:
Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement
To read all about GDPR and the full regulation check EU official GDPR page. But you can also find useful readings in the following pages: GDPR Info (listed article by article) and also GDPR org portal GDPR Portal.
After we went through most of the GDPR changes and rules, most of them mandatory, can your company answer the question: Is your company ready for GDPR?
If we focus in my area, IT companies (the big boys or Small and Medium-Size) are more aware of this process. Companies like Google, Microsoft, Facebook, Amazon, VMware, etc., have already started an internal process to be compliance with GDPR.
Cloud Providers we may say they are just “Data Processors” also need to be compliance with GDPR. AWS or Azure is “Data Controllers” but also “Data Processors,” but small Cloud Providers are more “Data Processors.” Like Cloud Backup companies (Veeam, Vembu their customers and Cloud Partners), all of them are preparing their business for GDPR deadline. But some of them have already failed some initial tests regarding GDPR compliance. So even those big companies still have a lot of work to fulfill to comply GDPR rules.
Is three months until the deadline and still we read that many companies are noncompliance with GDPR, or some of them don’t know if they need to comply. Or worse, some of them thing that they are not obligated to comply with GDPR. Even more, most organizations do not fully understand the consequences of not complying with GDPR. According to SAS study survey (6 months ago), 45% of organizations have already started a plan to comply with GDPR, but 58% of the organizations are sill not entirely aware of the consequences of noncompliance.
There is also another study with one year old from Veritas regarding GDPR that shows similar statistics regarding business across Europe, the U.S. and Asia Pacific.
Surprisingly (or not for the ones who knows inside Government organizations) Government organizations have the lowest percentage regarding GDPR compliance 26%. With these statistics, we realize that still is a big cape between what needs to be done and what has been done by companies.
Hope this can help understanding GDPR.
Note: Share this article, if you think it is worth sharing.
©2018 ProVirtualzone. All Rights Reserved