COMPANIES AND THE EU GENERAL DATA PROTECTION REGULATION (a.k.a. GDPR)
Introduction — what is the GDPR?
As you know, by May 25, 2018, all companies processing the personal data of EU citizens and residents have only a short time to comply with a new data regulation regime known as the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).
So, what is the GDPR all about?
The General Data Protection Regulation (GDPR) is a regulatory initiative put in place by the European Union (EU) to strengthen and unify data (privacy) protection of all individuals residing within the EU. It also seeks to address the conveyance of personal information outside the EU. The main reason behind the conception of this regulation is to give residents and citizens of the EU the right to control their privacy, while making the regulatory environment much simpler for international businesses by way of unifying the regulation within the region.
The new GDPR was conceived on 27 April, 2016, and it will take effect as from the 25th of May 2018, replacing the previous ‘Data Protection Directive’ (Directive 95/46/EC) that has been in operation since 1995.
Unlike the former ‘Data Protection Directive’ though, the new regulation will not require any enabling enactment to be passed by the legislative arm of each constituent state that makes up the EU.
8 Facts & Effects Companies Must Know About the GDPR
It’s becoming more glaring that some companies don’t know the extent and nature of the GDPR as a new rule. Some businesses don’t even know what and where their data is, how to retrieve it and the various corresponding obligations under the new law.Be that as it may, there are facts which every organization and corporations doing business within and even outside the EU must know about the GDPR that will come into force starting in 2018.
1. Wider Scope & Nature
The new rule – once it comes into effect on 25th May 2018 – will have jurisdiction over the following corporate personalities:
- All organizations or ‘data controllers’ that collect data from EU residents
- All companies or businesses that process data on behalf of data controllers; e.g. providers of cloud services, or if the data subject is based in the EU.
- All organizations or companies resident outside the EU which actively collect or process personal data of EU residents.
2. Broader Meaning of Personal Data under the GDPR
Companies must understand what is meant by the term “personal data” under the GDPR context. According to the EU Commission, the term personal data implies any information that has to do with the private, public or professional life of an individual residing in the EU. This could be the name, place of residence/address, a photo, phone numbers, e-mail address, bank and credit card details, websites or social media profile and posts, an IP address or medical information.
The regulation excludes data collections for matters of national and cross-border security, but there is also a special and separate regulatory rule for police and members of the criminal and justice department in the collection and sharing of personal data within and outside the EU.
3. Worldwide Application
By virtue of the GDPR, the principle that governs the EU data protection has a broader implication for the rest of the world. It implies that any company that is not even resident in the EU but is actively working with information relating to any EU citizen or resident must comply with the dictates of the GDPR; making it the first and only universal data protection law.
4. Strict rules for obtaining valid consent
All companies collecting personal data are mandated under the new rule to provide simple, clear and affirmative consent before they can process such data. The GDPR eliminates inactivity or silence as a yardstick of affirming consent. Therefore, companies must now work their way through securing consent under proper mechanism. Failure to secure valid consent would result in the shutting down of any personal data processing activities.
5. Mandatory appointment of a DPO for some organizations
Under the new GDPR, companies employing more than 250 people along with all public authorities or bodies who actively process personal data are mandated to hire or appoint (e.g. externally on a contract basis) a “Data Protection Officer” (DPO) for performing tasks on issues of large-scale and systematic monitoring of data subjects or processing. This requirement entails that, in Europe alone, about 28,000 DPOs will have to be appointed for the next two seceding years.
6. Mandatory PIAs
One major requirement of the GDPR is that all companies engaged in data controlling must conduct Private Impact Assessments (PIAs) where it is clear that the risk of breaching privacy are high in order to minimize risk to data subjects.
This implies that before companies can even commence the processing of personal data, they must first conduct a privacy risk assessment while working with the DPO to ensure clear compliance as the project progresses.
7. Introduction of a Common Data Breach Notification
The GDPR unifies the different information breach notification laws existing in Europe for the purpose of ensuring companies operating personal data constantly monitor breaches that may likely arise from such data.
The regulation makes it mandatory for companies to notify the local authorities in charge of data protection within 72 hours of noticing a breach. This means, companies must possess the necessary technology and invest in manpower training that will enable them to detect and respond rapidly to such a breach if it arises.
The process may also require companies to make some necessary changes to the tone and level of internal security setup and how to handle such breaches in harmony with the company’s general objectives.
8. GDPR Bars Companies from Overstepping Their Borders
The new data protection regulation is a restrictive and data minimization principle that bars companies from holding data longer than necessary, and never to divert or change the use of the data from the original purpose for which it was first obtained. The GDPR also makes it compulsory for such companies to delete any data whatsoever at the request of the data subject. In a nutshell, customers now have ‘the right to be forgotten’.
Steps Companies Can Take To Comply With GDPR Requirement
One of the sledgehammers hanging from the GDPR’s introduction is that any business or company found to have violated or breached the provisions of the GDPR laws will be liable to pay a fine of 4% of the company’s annual turnover rate, including other tougher sanctions.
Thus, it becomes necessary for companies to implement sound policies, technical and organizational measures as a whole part of a comprehensive information management policy.
It is extremely worrying that many companies are yet to commence compliance preparation as the countdown to the new regulations begins. A recent Experian survey of some UK companies shows that, if 20% of businesses that have experienced various data breaches are to have repeated breaches for the next two years, they will be liable to pay fines amounting to £20 billion.
As a result of this frightening reality, listed below you will find steps companies can take now to secure their data processing future come May 25, 2018.
- Creating Awareness
Ensure that key personnel and decision makers within your organization are aware that the rules and regulations are changing to the new GDPR. They need to brace themselves for the impact this change is likely to generate and painstakingly peruse and mark out areas that may hamper the compliance process. A key place to start from is your organizational risk register.For larger and more complex businesses, implementing the compliance in line with GDPR guidelines may have significant resource implications. Thus, it is not advisable to leave preparation plans until the eleventh hour. The earlier you start, the better.
- Evaluate Data at Your Disposal
By the provisions of the GDPR, you are required to record your processing activities properly. Thus, to ensure that you fully comply with the said directives, evaluate and document the information you are currently holding. Try to ascertain where it came from and who actually shared it with you. Setting up data audit department across your company or within specific areas of your business would go a long way in ensuring compliance.If you have shared inaccurate information with another company, contact such company and inform it about the details of the inaccurate information so that the said company can correct and update its own records. But until you know where and who shared such data with you, you won’t be able to undertake the correction measures. This is why you need to evaluate and document all data in your care.
- Review and Communicate Your Privacy Information
- Legal basis for Data Processing
- Method of Acquiring Consent
Your company, as a matter of fact, needs to review and determine how to seek, store and manage consent. See if you will need to effect any minor or radical changes in your consent acquisition policy. Critically study the guidelines of the GDPR and see if your current consent policy mirrors the terms provided in the GDPR.
- Think About Children
For the first time ever, the new rule envisaged in the GDPR will bring in sustainable protection for children’s rights to privacy, especially in the area of social media networking and similar other commercial internet network activities.Therefore, your company should start to develop a unique system that will verify people’s age in order to ascertain minors and to seek parental or guardian consent to acquire the legality of any data processing activity.
- Data Breach Detention
Since the new and upcoming GDPR has made it mandatory for all companies to report any data breach within 72 hours of its occurrence; it becomes necessary that companies put in place innovative techniques and procedures to detect, investigate and report such breaches.First, determine the types of personal information in your care; ascertain and document where and under what condition you would be mandated to notify the data subject or report to a DPA in the event of such a breach.
The advent of the GDPR has brought a new era of responsibility and accountability on companies, and it is clear that all businesses will be significantly affected by the binding tentacles of the GDPR that cut across the business world.
To this end, organizations will need to implement the required mechanisms that will fully comply with the provisions of the GDPR, notwithstanding that the said law will be coming into effect a year from now.
The fact that some companies (though very few only) are already exploring ways to comply with the incoming laws is evidence of fear of the lingering hammer blow that awaits any business that will fail to comply with the world’s first universal Data Protection Regulation.