A question that many companies need to answer until May 25th of 2018… Is your company ready for GDPR?
What is General Data Protection Regulation (GDPR)?
GDPR is an EU regulation regarding the handling of personal data. This new regulation replaced the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe. GDPR was approved by the EU Parliament on 14 April 2016. Enforcement date is 25 May 2018. GDPR is a regulation that will replace Data Protection Directive 95/46/EC in EU for data privacy. GDPR is a broader regulation from the previous directive. Even the main principles of data privacy are included in this new regulation, in GDPR many changes and policies have been added to improve personal data protection.
In resume, GDPR was designed to reconcile data privacy laws across EU countries, but at the same time to provide more protection and rights to EU citizens. GDPR applies to both customers and company employees.
The GDPR applies to EU based companies as well as companies that collect the data of EU citizens, regardless of their physical presence in the country. How enforce companies outside of the EU to comply with the GDPR, and also follow the data protection rules to handle EU citizens personal data, is not very clear yet.
Note: GDPR is a regulation, not a directive. Regulations are mandatory and an automatic regulation/law in all EU countries. A directive is set to be implemented or adapted to Member States legislation.
What type of data is protected?
To answer the question, Is your company ready for GDPR, you need to understand GDPR and which data is to be protected and handled.
All personal data from all EU citizens. Personal data includes names, addresses, phone numbers, account numbers, and in this new regulation email and IP addresses. That type of data is typically called personally identifiable information (PII), mainly in the States. Here the European Union just used the term “personal data” for PII, which is a wider scope of personal data. But the EU and US have many differences in their privacy laws. In EU privacy is hailed as a fundamental right, and in the US those laws can be a balance between privacy and efficient commercial transactions. For example in some cases in the US Cookie IDs and IP addresses are not considered personal data.
The EU approach defines PII to encompass all information identifiable to a person, a definition that can be quite broad and vague. This divergence is so basic that it threatens the stability of existing policy mechanisms for permitting international data flows
Even for standard Internet form pages, company rules have been changed. Now information needs to be added to those forms so that a person can give consent to personal data collection.
One example is when companies inform you they can share your data with their partners, and they are obligated to identify by name which partners, and also give you the right to redraw your consent.
Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
What companies need to implement?
Preparation for the GDPR is complex and requires internal or external experts to properly prepare a business. To comply with GDPR regulations companies will face a financial impact to their budgets. Since there are many changes to implement, companies need to make many changes in the way personal data is handled to ensure they are compliant with the regulation.
Some of these changes are just at an organization level (like DPO or Data Breach Notifications), but many of the changes must be done at a technical level and how business handle data (like Right to Forgotten, Privacy by Design, Data portability or Pseudonymisation).
When business deals with personal data these are the main questions for privacy and GDPR rules:
- What data do we have?
- Where does the data go?
- How is the data protected?
- Who is accountable?
After the above questions are answered, you need to deal with that data, and you need to make the appropriate changes in your organization to fully comply with the next GDPR rules.
- Data Protection Officer (DPO)
The company should designate someone to take responsibility for monitoring compliance with the GDPR and other applicable data protection laws and be the point of contact between business and EU (Local Data Protection Authorities – DPA) for GDPR.
A DPO should have management skills, but also competent expertise in data protection laws (GDPR) and be able to work with internal staff at all levels. The DPO task is to ensure company data complies with GDPR rules.
DPO Must: Be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices.
May be a staff member or an external service provider.
Contact details must be provided to the relevant Data Protection Authorities (DPA).
Be provided with appropriate resources to carry out their tasks and maintain their expert knowledge.
Report directly to the highest level of management.
Not carry out any other tasks that could results in a conflict of interest.
Note: Be aware that “For public authorities, and companies processing large amounts of special categories of personal data, the appointment of a data protection officer (DPO) is mandatory.”
- Right of access
The right of access gives a citizen the right to access their personal data and how that data is handled or processed by the Data Controller and for what purpose. Data Controller needs to provide a copy of the personal data upon on request free of charge in an electronic format.
Meaning, that a citizen always has the right to access their personal information from the companies that handle their personal information and have the right to know how that data is handled and what for purposes.
- Right to be Forgotten
This is one of the more famous rules because of many requests from individuals that had this type of claims mainly to Google or Facebook.
This right was changed to a more limited right in compared to the adopted by the European Parliament in March 2014. Means that an individual has the right to request to erase their personal data regardless company interests. But at the same time, it states: “It should also be noted that this right requires controllers to compare the subjects’ rights to “the public interest in the availability of the data” when considering such requests.”
- Data breach notifications
When a business suffers a data breach, the business must report within 72 hours of first having become an aware breach of the protection authority (should be done by DPO). Customers must also be notified within 72 hours if customer data is at risk.
- Privacy by Design (PbD)
Privacy by design is a concept that is well known in the IT area and business. Mainly is a process or mechanism that make sure that personal data is only accessed or processed when is necessary. An example in public domain is personal data regarding citizen taxes and personal data. This information should not be accessed by anyone unless there is a reason to do so. No one should access this data to have access to this type of data just by curiosity or other non-legal intentions.
- Data portability
The right to move data from one Data Controller to another, without the refusal by the Data Controller. Companies need to provide to individual or Data Processor the personal data in a structured and commonly standard readable format.Meaning, that any individual has the right to move their data as it is in a company to another company without the source company have the right to refuse that request.
This strange word is regarding some kind of encryption by change data from its original. Pseudonymization replaces the identifiable of the data subject with one or more artificial identifiers, or pseudonyms in a way that we need adicional information to re-identify the original data. Using pseudonymization data cannot be identifiable and we could say is “anonymous” to ensure non-attribution to an identified or identifiable person.
Most companies while using pseudonymization “encrypt” their data so it is not possible to read that data outside of their systems. By doing this, it is considered technically impossible for an individual to access data without having the decrypted key (in this case the adicional data). To prevent this, GDPR requires that this additional information (such as the adicional data) be kept separately from the pseudonymized data
Data Controller – Individual or identity who controls and is responsible for the keeping the personal data. Can be either individuals or “legal persons” such as companies or Government Departments.
Data Processor – A natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller. The concept of a “processor” does not change under the GDPR. Any entity that is a processor under the Directive likely continues to be a processor under the GDPR.
These are the main changes that your company need to comply and will need to handle in the future after GDPR is officially out.
Not comply with any of these rules (these are just the primary rules, full GDPR have 99 articles, so your company should comply to all) will bring to you and your company huge fines.
Those penalties are:
Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement
To read all about GDPR and the full regulation check EU official GDPR page. But you can also find useful readings in the following pages: GDPR Info (listed article by article) and also GDPR org portal GDPR Portal.
After we went through most of the GDPR changes and rules, most of them mandatory, can your company answer the question: Is your company ready for GDPR?
If we focus in my area, IT companies (the big boys or Small and Medium-Size) are more aware of this process. Companies like Google, Microsoft, Facebook, Amazon, VMware, etc., have already started an internal process to be compliance with GDPR.
Cloud Providers we may say they are just “Data Processors” also need to be compliance with GDPR. AWS or Azure is “Data Controllers” but also “Data Processors,” but small Cloud Providers are more “Data Processors.” Like Cloud Backup companies (Veeam, Vembu their customers and Cloud Partners), all of them are preparing their business for GDPR deadline. But some of them have already failed some initial tests regarding GDPR compliance. So even those big companies still have a lot of work to fulfill to comply GDPR rules.
It is three months until the deadline, and we still read that many companies are noncompliance with GDPR, or some of them don’t know if they need to comply. Worse, some of them think that they are not obligated to comply with GDPR.
Most organizations do not fully understand the consequences of not complying with GDPR. According to SAS study survey (6 months ago), 45% of organizations have already started a plan to comply with GDPR, but 58% of the organizations are still not entirely aware of the consequences of noncompliance.
There is also another one year old study from Veritas regarding GDPR that shows similar statistics regarding businesses across Europe, the U.S. and Asia Pacific.
Surprisingly (or not for the ones who know inside Government organizations) Government organizations have the lowest percentage regarding GDPR compliance 26%. With these statistics, we realize there is still is a big gap between what needs to be done, and what has been done by companies.
Hope this helps you to understand GDPR.
Note: Share this article, if you think it is worth sharing.
©2018 ProVirtualzone. All Rights Reserved