Everyone is talking about it — What is GDPR, anyway?
General Data Protection Regulation (GDPR) is the new European Union privacy law, approved in 2016 jointly by European Parliament, the Council of the European Union and the European Commission.
GDPR will replace the existing European Data Protection Directive (which btw, came into the picture in 1995), which will be in effect until May 25, 2018. Post this date, GDPR will supersede and all the laws attached to data protection will be governed by GDPR.
GDPR aims to bring all the EU member states under one umbrella by enforcing a single data protection law. GDPR is intended to put guidelines and regulations on how data is processed, used, stored or exchanged.
Should I be concerned about it — Who is it for?
GDPR applies to all the organizations that are registered in EU or have an establishment or subsidiary in EU. It also applies to an organization which sells goods or services to citizens of the EU and process or monitor the personal data of EU residents.
Note: Personal data is any information relating to an identified or identifiable natural person
In simple words, if your business is established in EU or part of your customer base is located in EU, you must comply with GDPR.
The specific criteria for organizations that are required to comply are:
- A presence in any EU country.
- No presence in the EU, but the organization processes personal data of EU citizens.
- More than 250 employees.
- Fewer than 250 employees but the organization’s practices impact the rights and freedoms of EU citizens or include certain types of sensitive personal data. That effectively means approximately all companies.
A PwC survey showed that 92 percent of U.S. companies consider GDPR a top data protection priority.
Which parties are involved in GDPR?
There are three major stakeholders under these regulations, namely:
- Data controllers decide the purposes and methods of processing personal data — they coordinate processing.
- Data processors are responsible for directly processing personal data based on the instructions of data controllers. This could, for example, include subcontractors.
- Data subjects are the citizens of EU using goods and services provided by the data controllers.
Say, if you are a business selling a SaaS product to EU citizens(Data Subjects) and using a third party tool X to analyze consumer behavior on your platform. You are the Data Controller and X is the Data Processor.
What’s different than before — what are the key changes?
GDPR harmonizes how personal data is processed, used, stored and exchanged securely across all EU member states.
The organizations coming under the radar of EU will have to demonstrate the security of the data they are processing. They will also have to implement substantial technical and organizational measures to demonstrate their compliance with the GDPR on a continual basis.
Security actions required
GDPR has specific instructions for what types of security action may be required:
- The encryption and pseudonymization of personal data.
- Organizations should make provisions for regular testing, assessment, and evaluations of the effectiveness of technical and organizational policies for ensuring the security of the data.
- Provisions for confidentiality, integrity, availability, and resilience of processing systems and services.
- In the event of a physical or technical incident, organizations are entitled to restore the availability and access to personal data in a timely manner.
The GDPR intends to protect the personal data of EU residents and the data which is deemed personal is:
- Basic identity information such as name, email, address, and ID numbers
- Web data such as location, IP address, cookies data, and RFID tags
- Health, genetic, and biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
The GDPR authorities will be able to issue fines of up to EUR 20 million or 4% of annual worldwide turnover, whichever is higher if there is a breach of terms listed by the authorities.
What are the entitled rights of Data Subjects?
In case of any data breach that is likely to result in unauthorized use and distribution of data, the Data Controllers will have to notify Data Subjects about the breach within 72 hours of becoming aware of the same.
Similarly, Data Processors will have to inform Data Controllers about the breach within the time frame.
Right to Access
GDPR brings the right for Data Subjects to get information about how, where and for what purpose their personal data is being processed.
Right to be Forgotten
Also known as Data Erasure, the right to be forgotten entitles the Data Subject to have his/her personal data deleted from the logs of Data Controllers. The right to be forgotten also enables them to halt or cease further distribution and use of the data by third parties.
GDPR introduces data portability — the right for a Data Subject to receive the personal data concerning them, which they have previously provided in a commonly use and machine-readable format and have the right to transmit that data to another Controller.
This essentially means that if you want to make a switch from one service provider to other, the former service provider should give you the complete data in a machine-readable format which can be used to integrate with the new service provider.
Privacy by Design
The privacy by design is formally inducted in GDPR to facilitate effective designing of systems which resonate with the best practices of data protection. The controller shall implement appropriate technical and organizational measures in a design effective way in order to meet the requirements of this right and protect the rights of data subjects.
The controllers should hold and process only the data absolutely necessary for the completion of its duties, as well as limiting the access to personal data to Data Processors.
Data Protection Officers (DPO)
A DPO should be appointed to facilitate the smooth functioning of data protection in certain organizations.
These organizations include the Controllers and Processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offenses.
Does my business need to appoint a DPO?
DPOs must be appointed in the case of:
- Public authorities
- Organizations that engage in large-scale systematic monitoring
- Organizations that engage in large scale processing of sensitive personal data
If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.
How will it affect my cloud data storage practices?
If you plan to use a public, private or hybrid cloud data storage, there are GDPR compliance implications. These implication are listed below:
- In a privately hosted cloud storage, you will have full control over the data and can put in appropriate measures in protecting it.
- If you are using a public or hybrid cloud data storage, your cloud storage service provider should put adequate security measures in terms of policies and procedures. Make sure that the liability measures imposed by the providers comply with the policies.
GDPR is a new reform in age-old privacy and data protection laws for businesses concerning residents of EU, which is a major customer base of a lot of businesses. GDPR intends to bring harmonized regulations across all the EU states.
It can be intimidating to first scan the official GDPR policies and the buzz created in the business community. But this article and other supporting documents on the internet will guide you to tweak your policies and practices to comply with GDPR easily.
I thank Devashish, CEO of Kommunicate for helping me with research and notes on GDPR.
I work for Kommunicate, a modern customer support platform. The article was originally published here.
If you liked reading the article, please clap it, share it or comment below for further discussions.