GDPR Key Changes
The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world. The key principles of data privacy established by the initial ‘95 regulation still hold true, but many changes have been proposed to the regulatory policies.
The 4 pillars of GDPR
Personal privacy
Individuals have the right to:
Access and correct errors their personal data.
Individuals have the right to access their personal information, and, if needed, the right to correct possible errors in within it.
Object to processing of their personal data
It must be as easy as possible for an individual to withdraw consent of their personal data to be processed.
Erase their personal data
Under the Right to Be Forgotten policy, they are entitled to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
Controls and notifications
Organizations will need to:
Protect personal data using appropriate security
Privacy by design becomes part of a legal requirement with the GDPR, and calls for the inclusion of data protection from the onset of the designing of systems.
Notify authorities of personal data breaches
Breach notifications will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”, and must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.
Obtain appropriate consents for processing data
Companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language.
Keep records detailing data processing
Transparent policies
Organizations are required to:
Provide clear notice of data collection
Companies will have to inform individuals and ask for their explicit consent for capturing their personal data.
Outline processing purposes and use cases
Individuals have the right to obtain from organizations confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the organizations shall provide a copy of the personal data, free of charge, in an electronic format.
Define data retention and deletion policies
Organizations will need to be able to demonstrated by policy and process how they deal with withdrawal of consent and deletion of personal data.
IT and training
Organizations will need to:
Train privacy personnel and employees
Audit and update data policies
Employ/outsource a Data Protection Officer (DPO) (if required)
Create and manage compliant vendor contracts
What GDPR means for your data?
Stricter control on where personal data is stored and how it is used
Improved data policies to provide control to data subjects and ensure lawful processing
Better transparency, record keeping, and reporting
Focus on these four key steps to achieve GDPR compliance
1
Discover
Identify what personal data you have and where it resides.
2
Manage
Govern how personal data is used and accessed.
3
Protect
Establish security controls to prevent, detect, and respond to vulnerabilities and data breaches.
4
Report
Execute on data requests, report data breaches, and keep required documentation.
Don’t wait until it’s too late
Given how much is involved, you should not wait until the regulation takes effect in May 2018 to prepare. You need to begin reviewing your privacy and data management practices now. Failure to comply with the GDPR could prove costly, as companies that do not meet the requirements and obligations could face substantial fines and reputational harm.