The General Data Protection Regulation (GDPR), approved in April 2016, will go into effect on May 25, 2018. The intent of the regulation is to streamline data protection for all individuals within the European Union. This post is a high level overview of the basics of GDPR. Refer to the links at the end for further details.
The regulation applies not only to organizations within the EU, but also to organizations that provide goods/services or collect personal data residing in the European Union. Some examples of data considered "personal" include name, address, bank details, email address, medical information, and/or a computer IP address.
In order to comply with the new regulation, an organization must have processes and procedures in place both technically and organizationally. Staff training, audits, and HR policies may need to changed. Data protection impact assessments should be used to ensure that your organization is in compliance with the regulations.
Individuals have several rights under the GDPR that cover several aspects of data security. These include the following (condensed from Information Commissioner’s Office)
- The right to be informed - This is generally communicated through a privacy notice. Although this is not an extensive list, the notice should include the contact details of the data controller, the categories of data being collected, recipients of this data, retention period of the data, and how to lodge a complaint.
- The right of access - Individuals must allowed to access their personal data so that they can verify the accuracy of the data processing.
- The right to rectification - If an individual reports that their data is not correct, the organization has one month for standard corrections to be made on the user’s behalf and two months for more complex updates.
- The right to erasure - At some point in an individual’s relationship with a data collecting organization there may come a time when they will request their personal data be removed or deleted.
- The right to restrict processing - When the processing of personal data is restricted, perhaps due to inaccuracies or objections from the individual, the data must be restricted from being used or processed by the organization.
- The right to data portability - Users are allowed to obtain and reuse their data for their own purposes.
- The right to object - Individuals may object to having their data used for several reasons including public interest, direct marketing, and research.
- Rights related to automated decision making and profiling - Organizations must allow individuals to not be a subject of decision making based on automated processes. They must be able to obtain human intervention and be able to challenge the decision.
If a firm is found to be non-compliant with GDPR regulations, fines can be quite expensive. For egregious offenses “organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million” (www.eugdpr.org). There is a scale for fines for various levels of offenses. An organization may be in violation of the regulation for not having their data records in order and protected. A more serious offense would include having a breach in their data and not notifying those affected.
Organizations inside and outside the European Union are earnestly preparing for the May 25, 2018 effective date. It is imperative that personal data be protected as thoroughly as possible. In the event of a breach, users must be informed in a timely manner and companies must have these procedures and policies in place in order to support their successful adherence to the new regulation.
More information may be found at the following links:
Official site for the EU General Data Protection Regulation: lhttp://www.eugdpr.org/
Full version of the regulation can be found here: http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf
From the Information Commissioner’s Office: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/
Comments
0 comments