The General Data Protection Regulation (GDPR) Takes Effect May 25th 2018April 19, 2018
The European Commission’s (EC) General Data Protection Regulation replaces Data Protection Directive 95/46/EC and is designed to put individuals back in charge of their data and personal information.
Do you conduct business in the European Union? Are you familiar with the GDPR (General Data Protection Regulation)? As we’ve written previously, the GDPR takes effect May 25th, and is enforceable for all businesses (not just those based in the EU) that collect the personal data or monitor the behavior of EU citizens. Realistically, companies should have taken steps toward compliance a long time ago, but it is never too late to start.
There are 99 Articles in the GDPR but below are some of its essential requirements:
- Have a legal basis for controlling or processing personal data (Article 6);
- Collect and process personal data only for lawful purposes and protect it at all times;
- Maintain documentation of all data processing activities (Article 30) including the purposes of data processing and the categories of data involved. A description of the technical and organizational security measures over this data is required.
- Note: organizations with fewer than 250 employees are excluded from the documentation requirements, with some exceptions.
- Be able to demonstrate compliance with the GDPR and the on-going assessment of such compliance (Article 25)
- Meet the standard of “consent”. Consent means “any freely given, specific, informed and unambiguous indication of the data subjects’ wishes…by a statement or by a clear affirmative action that signifies agreement to the processing of personal data relating to him or her”.
- Note: consent cannot be implicit and must be documented.
- Notify the Supervisory Authority within 72 hours of becoming aware of a breach.
- Respond promptly to requests from data subjects about the personal data you control, process, or transfer about him or her (Article 15)
How do you know if you’re subject to the GDPR?
This depends on whether or not your organization is established in the EU.
- An organization established in the EU is subject to the GDPR, which replaces the Directive (and overrides national laws that implement the Directive).
- An organization based outside the EU is subject to the GDPR if it either:
(1) Offers goods or services to EU data subjects; or
(2) Monitors the behavior of EU data subjects.
Any organization that is subject to the GDPR should review its obligations under the GDPR and take a risk-based approach to satisfying those obligations.
Complying with GDPR
If you know you are subject to the GDPR, there are a few things you must do to comply:
- Elevate the importance of compliance at the highest level of your organization
- Perform a compliance assessment
- Modify existing policies and procedures to address the GDPR
- Conduct an end-to-end inventory and audit of your data so you know everywhere it is stored and processed
- Implement employee training on data protection
- Only collect user data when it is necessary and receive consent before collecting personal data.
- Limit access to personal data to appropriate individuals
- Establish a process for responding to data access requests
- Permanently erase user data upon request. All users are able to remove their consent to allow their personal data to be collected, at any time.
- Document all personal data you hold, where it came from and who you share it with
- Review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
- Designate someone (“Data Protection Officer”) to take responsibility for data protection compliance and assess where this role will sit within your organization’s structure and governance arrangements, if applicable based upon your size.
- Determine your lead data protection supervisory authority if your organization operates in more than one EU member state.
When does GDPR replace the Data Protection Directive?
The GDPR will apply starting May 25th, 2018.
The GDPR applies to all businesses in the EU; however all businesses marketing services or goods to EU citizens should be preparing to comply as well. Businesses will benefit from avoiding costly penalties while improving customer data protection and trust. Contact our Information Security Services team for more guidance.