The European Union's General Data Protection Regulation (GDPR) goes into effect on May 25, 2018, are you ready for it?
The GDPR introduces new accountability obligations and stronger rights and restrictions on international data flow. Any organization that handles data about European citizens, regardless of where that organization is located, is subject to the GDPR. Which makes the GDPR really the first international standard on data protection.
But what does that mean to you / your company?
At the simplest level, if you are found to be in violation of the GDPR, you could be fined up to €20 million (almost $30 million CDN) or 4% of "group annual global turnover", whichever is greater. So gross violation (ie. not reporting a data breach within 72 hours) could result in a $30,000,000 minimum fine.
What does the GDPR entail?
These are the points that you need to know:
- It Applies to All -- If you work with personal data of European citizens, it applies to you. The GDPR has, however, broadened the definition of "personal information" to include "anything that can be used to identify an individual". That includes genetic, mental, cultural, economic, and social information as well as the regular data (address, name, birthdate, etc).
- You must be able to prove consent -- It is not enough to simply state that you are collecting information, you need to make sure that you specifically ask for permission and that you track when and how that permission was given. You must also use plain and simple language to explain how and where the information will be used. Opt-outs are not allowed (it must all be opt-in). People must be able to decline the collection of personal information and you may only decline service(s) if the data collection was integral to the service.
- You might need a Data Protection Officer (DPO) -- Public authorities that process personal information and companies whose core activities require "regular and systematic monitoring of data subjects on a large scale" or consist of "processing on a large scale of special categories of data", require a DPO. In Europe alone, this means that almost 30,000 new DPOs will need to be hired/appointed in the next 2 years. If you already have a CPO (Chief Privacy Officer), you simply need to make sure they are following the GDPR as well.
- You may need to perform Privacy Impact Assessments (PIA) -- If there are areas of your business that could expose personal information, you need to perform a PIA. This could mean that a PIA is required before starting any new projects involving people's personal information.
- You must report data breaches within 72 hours -- If you are breached, you must notify your customers within 72 hours. But to accomplish this, you first need to know you have been breached and many companies wouldn't know they have been as they don't have the right technology and processes in place to do that.
- People have the right to be forgotten -- This goes a step further under the GDPR, in that you are only allowed to hold data as long as you need it and cannot use it for purposes other than what it was collected for. And if an individual asks to be removed from your system, you must do so. And it must be as easy to remove the data as it was to consent to its collection (example, their account info page should have a delete account button). If you wish to use collected data for a purpose other than what you collected it for, you must ask for fresh consent.
- If you are a data processor, you are also liable -- If your company processes data on behalf of another company (example, call centre doing market research for another company), you also fall under the GPDR and need to implement the same procedures.
- Requires privacy by design -- Software must ensure proper and complete erasure of data. If you backup your DB, then erase personal data and then have to restore from a backup that contains that personal data, you have to then make sure that the personal data is again removed. It is going to be tricky in cases like this and require careful planning of procedures and technology.
There is a lot that must be done to be ready for GDPR. If you have more questions about your rights and obligations under the GPDR, you should consult your lawyer. If you need help in implementing technological changes in regards to compliance, we would love the opportunity to help your company protect both yourself and the data of your customers.