GDPR OverviewThe GDPR was created in response to the rising threats to consumer safety posed by Big Data and evolving IoT technology. It defines data privacy as a fundamental right and puts protections in place for the personal data of European Union residents. That includes things like names, addresses, phone numbers, email addresses, photos, identification numbers, IP addresses, human resource records, and biometric data. Essentially, the GDPR provides more consumer control over data for EU residents. It applies to people and activity within the EU’s sphere of legal influence, specifically:
- Residents of the EU
- Businesses and other organizations based in the EU
- Entities operating in the EU
- Entities who collect or process data in the EU or data otherwise covered under the GDPR
- Monitoring of behavior within EU
What Changes for EnterpriseGDPR guidelines are simple but wide-reaching, all aimed at putting improving individual data control and peace of mind. Here’s what changes:
ScopeThe GDPR affects both any handling data of EU residents anywhere in the world and anyone within EU processing any data. The applicability of data protection laws used to be ambiguous; companies could simply process data outside EU to avoid legal protections.
Consumer control and consentIndividuals have much more control over what happens with their data. They must be told specifically whatis being collected, why it’s being collected, how it’s being used, and what protective measures are in place. There are also exceptions for legal allowances like public safety, a controller’s legal obligations, and the legal data interests of another person. Controllers can’t refuse service for denial of data usage unless data is necessary to provide the service. This set of rights comes with specific additional rights:
- Access to Data: Consumers can access their data as well as what it’s being used for on request.
- Data portability: Controllers must provide a data subject with their data in a commonly used format and transfer that data to another controller on data subject’s request.
- Right to be forgotten (RTBF): Consumers can have their data erased on request both by controller and by any entity who was given the data.
Security by design and defaultControllers must make secure settings the default in all scenarios and take active steps to ensure data security.
Breach handlingBreaches must be disclosed if they could result in any risk to the rights and freedoms of data subjects, including the right to data privacy. Public disclosure must happen with 72 hours of the organization becoming aware of the situation. Processors have an additional duty to inform controllers of breaches on their end without “undue delay” to expedite public disclosure.
Data Protection OfficersThis is one of the least understood parts of the GDPR, but it doesn’t need to be complicated. Organizations only need a specific data protection officerin select cases, specifically:
- When a public authority is processing personal data (except courts conducting official judicial business)
- When there is regular, systematic monitoring of individuals on a large scale
- When monitoring certain categories of data including biometric data, data about religious or political beliefs, trade associations, health information, and criminal or legal backgrounds; additionally, this data can only be processed in specific circumstances (ie, with explicit consent of data subject, when legally required)
PenaltiesThere are standard enforceable fines for violations of the GDPR. Fines are based on different factors (like how much damage was caused, how the issue was discovered, and what the Controller is doing to fix the situation). The basic types of fines call into different categories:
- Accidents and oversights are punishable by up to the greaterof €10 million or 2% of the organization’s global annual turnover.
- Carelessness or deliberate violations can cost up to the greaterof €20 million or 4% of global annual turnover.
Protecting Your CompanyHere’s a quick checklist of steps that will help companies ensure GDPR compliance and avoid imposing fines.
- Assess whether the GDPR could potentially apply, keeping in mind that online ordering systems that collect EU data are included.
- Make GDPR compliance an executive priority. Incorporate the GDPR into onboarding and refresher training.
- Determine whether a DPO is needed and, if so, make sure they have an unobstructed direct line to company leadership.
- Identify all types of individual data collected by the company and how it’s used.
- Minimize personally identifiable data used in general. Good analytics can be done with anonymized or pseudonymized data, so prioritize that.
- Update privacy policies to spell out data usage, individual rights, and the mechanism for obtaining or deleting individual data records.
- Review and improve data security measures to include breach handling policies.
- Recommit to good data management policies(update software, soft target minimization, and so on).
- Be vigilant for second-hand vulnerabilities like data transfers to non-compliant entities.
Deciding whether the GDPR will apply to your enterprise means figuring out where your data comes from and how it’s being protected. Concepta can help. Set up a free consultation with our knowledgeable staff to review your data intelligence process and protect your business from accidental GDPR violations.