Several organizations that do business with EU citizens are in a panic mode as the day to enforce GDPR draws closer. Panic will only get us so far; understanding it in layman’s term would be a more useful tactic.
What is GDPR?
General Data Protection Regulation is a regulation put forth by the European Union (EU), with an effective date of May 25, 2018.
Why it is needed?
In an increasingly digitized world where data is collected, and either exchanged or sold, protecting it becomes of utmost importance, so that individuals feel safe and protected about the way in which their data is used. Different companies and organizations can use a person’s name and address, his or her medical records and bank account information, photos, videos, and passport information in many ways. While many do not mind this data getting public, a large section of EU citizens have demanded greater control over their personal data. This gave birth to GDPR that gives EU citizens enhanced privacy rights.
How did it come into being?
The European Union Data Protection Directive which emerged in the mid-1990s, is an ancient history in the world of technology. Disruption has happened in the realm of data collection and processing in the past few years, especially online, and the current Data Protection Directive doesn’t effectively cover some of the things that have developed since it was first enforced. The GDPR is a reaction to those kinds of concerns about the growing need for data protection.
Who it affects and how?
Currently it’s an EU regulation, so it affects businesses and organizations that are located within EU member states. It also applies to non-European companies that are operating in a EU member state. In other words GDPR applies to any organization (anywhere in the world) that processes personal data about EU individuals.
You as an organization or business unit, need to pay attention to GDPR requirements if you process the personal data of EU data subjects (people in EU irrespective of whether they are visitors or citizens), offer goods or services, monitor or track their activities, or otherwise do business with them.
It affects several kinds of relationships like,
- Business to consumer (B2C): The requirements bring a duty of care for EU personal data.
- Business to business (B2B): Your GDPR-related obligations extend into third-party relationships involving processing.
- Business to employee (B2E): If a EU data subject is your employee, data of that person is within the scope of the GDPR.
The potential penalty for running afoul of the GDPR can be large — it is up to 4 percent of an organization’s global revenues, or €20 million, whichever is greater.
What are most basic GDPR requirements?
- The ability to facilitate data subject rights such as access, correction, objection, erasure, and data portability
- The implementation of design controls relating to the data protection of lawfulness, fairness, and transparency
- Limits on purposes for which you may process and store data
- Data minimization (including pseudonymization, or the replacement of identifying data with pseudonyms)
- Accuracy of data
- Storage limitation integrity and confidentiality
- Accountability
What are the rights and responsibilities associated with GDPR?
For every organization that does data monitoring on a large scale, a data protection officer must be named, according to the GDPR.
It puts forth the idea of pseudonymization, whereby identifying data is converted in a way that makes it impossible for an unauthorized people to trace it back to an individual.
Organizations will be required to show they have a legal and compelling reason to continue processing data on that particular subject.
- Subject access request: Individuals have the right to ask for the details of any information you have on them. You need to be able to provide a copy of the data, and furnish information about how you use the data, a list of any third parties that might have access to it, and an idea of how long you need to store the data. If you get this kind of request, your organization must respond in a month or less (unless it’s a particularly complex request).
- Data portability: Data subjects can ask that you pass along their data to another processor. This kind of right makes it easier for people to move their business to a competitor.
- Right to be forgotten: Data subjects can ask that your organization permanently get rid of their data, particularly when you no longer have a need for it. They can also withdraw a consent that they have previously given you.
- Notification of breach: If there’s a data breach, your organization must notify regulators within 72 hours, and in typical cases you also must notify those data subjects whose records have been breached. In certain situations, such as with well-encrypted data, you might not have to make a public announcement of the breach.
I hope I have made it easy enough to ensure we understand the GDPR. We will talk about the testing approach for GDPR compliance in the next blog.