Are you informed and ready for GDPR compliance?
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It applies to all companies that collect and process data belonging to European Union (EU) citizens. It also addresses the export of personal data outside of the EU. GDPR aims principally to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. The Regulations were adopted on April 14th, 2016 and after a two-year transition period, becomes enforceable on May 25th, 2018. GDPR replaced the Data Protection Act 1998, which was essentially a set of minimum required standards.
At a high level, here are some of the most prominent requirements of GDPR:
The regulation applies if the data controller (an organization that collects data from EU residents), or processor (an organization that processes data on behalf of a data controller), or the data subject (person) is based in the EU. Under certain circumstances, the regulation also applies to organizations based outside the EU if they collect or process personal data of individuals located inside the EU. According to the European Commission, “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
GDPR specifically prohibits the use of long and complicated terms and condition, particularly statements that contain legalese. Any request for consent, declaration of terms, or statement of privacy must be presented clearly and concisely, and without any ambiguity of meaning. Furthermore, it must be as easy to withdraw consent as it is to give it.
Compliance with GDPR requires companies to notify all data subjects that a security breach has occurred within 72 hours of first discover. The method of this notification will include as many forms as deemed necessary to disseminate the information promptly.
Right to access
GDPR requires companies to provide, at the data subject’s request, confirmation as to whether personal data pertaining to them is being processed, where it is being processed, and for what purpose. Companies must also be able to provide, free of charge, a copy of the personal data being processed in an electronic format.
Right to be forgotten
Under GDPR, companies will erase all personal data when asked to do so by the data subject. At that point, the company will cease further dissemination of the data, and halt all processing. Valid conditions for erasure include situations where the data is no longer relevant, or the original purpose has been satisfied, or merely a data subject’s subsequent withdrawal of consent.
GDPR requires companies to provide mechanisms for a data subject to receive any previously provided personal data in a commonly used and machine-readable format. Under this provision, the data subject also has the right to request the company transmit the data to another processor, free of charge.
Privacy by Design
Compliant companies must follow Privacy by Design principles and implement appropriate technical and organizational measures effectively to meet the requirements of the GDPR and protect the rights of data subjects. In practical terms, this provision means that companies will process only the data absolutely necessary for the completion of its business and limit access to personal data to only those employees needing the information to complete the process consented to by the data subject.
Data Protection Officers
Large enterprises wishing to comply with the GDPR will maintain thorough and comprehensive records on the collection, processing, and storage of personal data. In addition, these enterprises will designate a Data Protection Officer (DPO) to oversee the application of the GDPR and to protect personal data from misuse and unauthorized access and other security breaches. If an enterprise meets the criteria, a designated DPO is a requirement, not an option.
Penalties for noncompliance with the GDPR
Penalties for failing to comply with the provisions of the GDPR can be severe and carry a significant risk of liability for any company. The maximum assessable penalty for noncompliance with the GDPR is 4% of the annual global revenue generated by the company. The maximum penalty will be imposed on organizations failing to acquire sufficient customer consent to process data or for violating the Privacy by Design concept. Other violations are assessed on a tiered basis depending on the infraction. For example, a company can be fined 2% for not having its records in order, not notifying the supervising authority and the data subject about a security breach in a timely manner, or for not conducting a required impact assessment of a security breach.
ULedger – Technology to Facilitate GDPR Compliance
- Personal Data Processing
Maintain control and transparency with a complete history of all transactions relating to personal data
- Right to be Forgotten
Prove through an immutable history log that data erasure requests have been satisfied
Track consent responsibilities with an immutable history log
- Data Portability
Prove data transmissions requests occurred on request
- Breach Notification
ULedger data log tampering notifications provide detections as to when data logs have been compromised
- Privacy by Design
Prove that data processing was only for intended business purposes and that access was appropriate
- Access Rights
Transparency into the collection, processing, and transmission of personal data coupled with the ability to prove through an immutable history log
- Data Protection
Keeps the data protection responsibilities with the DPO and provides tools to protect personal data from misuse, unauthorized access, and other security breaches
If you think about the implications, this will touch a vast majority of companies as GDPR applies to companies that conduct business in the EU. If they don’t conduct business in the EU, but hold data of an EU resident, the regulation still applies. This can be thought of as the new global standard. A year from now, on the one-year anniversary of GDPR compliance, we will undoubtedly know a lot more than we know today. Many of the requirements of the regulation are vague; it will take time through the adoption of best practices, regulatory actions, and Member States interpretations to provide clarity on how best to meet the requirements of the regulation. Also, factor in that each of the 28 EU Member States will have their own enforcement mechanism, there will likely be conflicting actions and interpretations coming from the Member States.