The General Data Protection Regulation (GDPR) is a sweeping regulation due to take effect in the European Union (EU) member states and the United Kingdom in May 2018.
Through the regulation, the EU has outlined protections for every individual citizen’s personal data. The new legislation has huge implications for companies around the world that have any kind of market in the EU. Especially businesses that rely on consumer data.
In short, the GDPR introduces new obligations for any organization that handles data about EU citizens, regardless of whether that organization is based in the EU or not. In addition to new requirements for companies when it comes to notifying consumers about data breaches, there will be stricter responsibilities when it comes to managing and protecting personal data.
The EU hopes that these regulations will help streamline how organizations manage, store, process, and share personal data – balancing civil liberties and privacy with economic growth and innovation.
That said, the increased security controls, procedures and requirements set forth in the GDPR’s 99 Articles are expected to come at a significant cost for businesses as many organizations will be required to appoint a Data Protection Officer, conduct Privacy Impact Assessments to ensure their organization is in compliance with the regulation and will be subject to substantial fines of up to €20M or 4% of global annual turnover (whichever is greater) for failing to adhere to the regulatory requirements, to name a few.
As businesses worldwide prepare to comply with the new, complicated data protection regulation, we have outlined the key facts that organizations need to know so they can adequately allocate resources to get ahead of compliance before it is too late:
1. The GDPR affects any company that processes the personal data of EU citizens.
This legislation widens the definition of personal data to include any data that can be used to identify an individual, such as genetic, cultural, economic, mental or social information. As almost all personal data now falls under the GDPR, organizations are faced with an increased demand to answer difficult data accountability questions such as:
– Why are we holding personal data?
– Why was it originally gathered?
– How did we get it?
– How long has it been held?
– Is the data shared with any third parties?
– How secure is the data in terms of accessibility and encryption?
2. Any company that collects personal data has to first obtain consent. Consent to collect any personal data.
Organizations need to use simple and clear language when informing users about what information will be collected, how the information will be processed, and how it will be used used.
It’s critical to note that firms need to be affirmative in obtaining consent to process personal data as silence and inactivity no longer constitutes permission. Without valid consent, any personal data processing activities will be shut down by authorities
3. Privacy Risk Assessments will be required for all initiatives.
The GDPR mandates Privacy Impact Assessments for identifying and assessing privacy exposures where privacy breach risks are high. This means that before organizations can even begin projects involving personal information, they must conduct a privacy risk assessment to ensure they are in compliance as projects commence.
4. Data monitoring means that you need a Data Protection Officer.
The GDPR requires public authorities as well as certain other organizations to appoint a Data Protection Officer (DPO) when the organization’s core activities require regular monitoring of data subjects or processing of large amounts of personal data. According to a study by the International Association of Privacy Professionals (IAPP), this requirement means that 28,000 DPOs will have to be appointed in the next two years in Europe alone.
5. Any data breaches require notifications.
The GDPR introduces a common data breach notification requirement aimed to standardize the various data breach notification laws throughout Europe and ensure organizations are continuously monitoring for breaches of personal data.
The regulation requires that organization notify their local data protection authority of a data breach within 72 hours of discovering the breach, requiring new technologies, processes and training to ensure that data breaches are properly understood, recognized and handled.
6. All systems should be designed with data privacy in mind.
The GDPR requires privacy by design in that software, systems and processes must be designed and consider compliance with the principles of data protection. For example, a substantial amount of commercially used software is not currently capable of properly erasing information. As the regulation is rolled out, all software will be required to completely erase data, posing new challenges for software engineers and business decisions at the strategic level.
7. All citizens will have the right to be forgotten.
The GDPR introduces the right to be forgotten and the right of access by the data originator. At an organizational level, this maintains that companies must have the appropriate processes and technology in place to delete data in response from data subjects (i.e. originators). Companies must obtain clear consent before they alter the way in which they are using any data they have collected as these rights give individuals agency over their data and where it may be held, used and transferred.
The new, sweeping regulatory requirements that the GDPR imposes will require organizational changes with new resources, processes and procedures for companies worldwide.
The biggest challenge for organizations is not technical, it’s organizational. Each business will have to work to understand how people interact with data. While businesses were previously required to protect personal data, there is now an explicit requirement for companies to be overt and transparent about what and whose data they have, what they are going to be using the data for and how it is protected.
Organizations are faced with a fundamental culture shift as all employees from those at the executive level down to administration must be aware of their obligation to protect consumer data across all channels, even over the phone. That said, perhaps the biggest change that will drive transformation across all industries, is that the GDPR puts the customer back at the center and in control over their data. Although there will be many organizational pressures and hurdles to comply, this transformation should be viewed as positive progression towards an economy built upon trust.