Are You Ready for the Upcoming GDPR?
The GDPR came into force on May 24, 2016, with a two-year’s grace period for all EU member states to agree on the final texts. Businesses and organizations were given time to prepare for the new regulation that will become fully applicable on May 25, 2018. The legislation is the result of four years of work with a single aim of updating the data protection laws to correspond to previously unforeseen ways that data is now used. The GDPR involves more severe fines for non-compliance and data breaches, as well as giving people more control over what companies can do with their personal data. Finally, the regulation makes data protection standards more or less unique throughout the EU.
The reasons behind GDPR
In the first place, the EU wants to give its citizens more say over how their personal data is used. The existing legislation was enacted before the Internet and Cloud technology created new ways for using personal data, so the GDPR aims to cover that sector as well. By enforcing tougher data protection regulations, as well as infraction measures, the EU aims to improve public trust in growing digital economy. Secondly, the EU wants to create a cleared legal environment in which businesses can operate, with data protection law identical throughout the EU market.
Who will be affected?
The GDPR recognizes two groups of subjects that the new legislation will apply to: controllers and processors. A data controller specifies how and why personal data is processed, and a processor does the actual processing of the data. Basically, a controller could be any organization, from a fund-raising company to a charity or government. A processor could be an IT company hired to do the actual data processing. The important aspect of the regulations is that even if controllers and processors are based outside the EU, they will still be affected by it, as long as they are handling EU residents’ data.
What is considered personal data under GDPR?
Under the GDPR, the definitude of personal data has been significantly expanded. Even online identifiers such as IP addresses now qualify as personal data. Economic, cultural or mental health information are also considered identifiable information. Depending on the transparency, pseudonymised personal data may also fall under the GDPR rules.
How can organizations get consent?
Under the GDPR, consent must come as an active, affirmative action by the data subject. Passive acceptance which some current models use that allow for pre-ticked boxes or opt-outs are ruled out. Controllers are obliged to keep records of how and when individuals gave consents, with an option for all individuals to withdraw the consent on their discretion. Unless your current model for obtaining consent meets the new GDPR compliance, you’ll have to revise it or stop collecting personal data when the GDPR comes to full power in May 2018.
How can people access the stored data?
People can ask for access at ‘reasonable intervals’, and controllers must respond within one month. Under the GDPR prerequisites, controllers and processors must be transparent about how they collect data, what they do with it and how they process it. The explanation must be clear and understandable to a wider audience. Under the new regulation, individuals also have the right to ask for their data to be deleted, if it is no longer serving the purpose for which it was collected. The controller, on the other hand is responsible for telling other organizations to sever any links to copies of that data as well as delete the copies they hold.
What if the data is breached?
Within 72 hours, a controller or processor is responsible for informing their data procession authority of any data breach that puts people’s rights and freedoms at risk. Although the deadline is too tight for a more elaborate investigation, by the time an organization contacts their data protection authority, they should outline the nature of the data that is affected, a rough estimate of how many people are impacted, what consequences it could mean for them and what measures the organization had already taken or plans to take in response. However, even before notifying the authorities, the organizations need to tell the people affected by the breach. Those who fail to meet the deadline could face a penalty up to 2% of their annual worldwide revenue, or a sum not less than €10 million.
What is the current status?
According to a snap survey of 170 cybersecurity staff members by Imperva, the overwhelming majority of IT security professionals are aware of the GDPR, but just under half of them are preparing for its arrival. About 43% of them are assessing the GDPR’s impact on their companies and readily adjust their practices to keep up with the legislation. Although the participants were largely US-based, they will still be affected by the GDPR if they handle or outsource another company to handle personal data of EU citizens. Surprisingly, nearly a third said they are not preparing for the incoming regulations.
Unless you implement the main principles of GDPR, the best advice is to start preparing as early as possible. Employ a data protection officer, and check the current status of your standing data protection rules and policies. Unless your third party supplier’s data protection policies check as valid, maybe it’s time to start looking for new alliances.