No question you’ve heard a lot currently about the European Union (EU) General Data Protection Regulation (GDPR). It’s a vital piece of law, yet most organizations are not compliant. Now that the GDPR timeline has expired and organizations must be compliant here’s what your organization needs to know.
According to recent a PWC article, 68% of firms over 500 employees surveyed said they are planning to spend between $1-10 million USD to address GDPR obligations.
What is GDPR High Level?
EU- GDPR (EU General Data Protection Regulation) is the new EU legal framework designed to provide the foundation for how global firms and agencies around the world must protect personally identifiable information of EU residents. The legislation also places limitations on what data can be used for and how it is processed by an organization.
Apprehend the spirit of GDPR
You don’t want to go through pages and pages of legalese text. Positioned truly, the regulation is designed to put personal records returned within the palms of the person who owns it and make certain organizations are obvious about how they take care of user’s electronic details.
Does GDPR Apply to Us?
Of all the user data collected, stored and transmitted: web forms, cookies, user preferences, etc. Under GDPR, all personal data of those residing in the EU must be processed lawfully, fairly, and in a transparent manner in relation to the data subject.
If your organization collects or processes personal data drawn from European subjects, GDPR applies to your organization, regardless if you have a physical office in the EU and regardless of what geographically the data is processed.
GDPR clearly defines the two primary roles and responsibilities of data, which are the ‘processor’ and the ‘controller’
Controller means the “body which, alone or jointly with others, determines the purposes and means of the processing of personal data”. Processors means a “body which processes personal data on behalf of the controller”
Taking into account the nature, scope, context, and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.
GDPR requires clear user consent for personal data processing
The data controller must “demonstrate that the data subject has consented to processing of his or her personal data.” The “request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language”
Types of Data elements
The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
In the GDPR legislation, personal data is defined as
“Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity”
Check your records storage structures are cozy
Don’t save non-public data unencrypted on a USB stick, as an example, or depart it on an unsecured cloud server. Data breaches can lead to large fines, so hold it secure, encrypted and secure from prying eyes.
Make someone in your organization in charge of data security
This person should be well trained and briefed on their responsibilities. Relying on the nature of your organization, this person could be your privacy or Compliance Officer. Ensure your organization develops the appropriate policies and procedures accordingly and that you have a defined incident response plan in place.
Your organization will want to ensure you have proactive Cyber Security Monitoring program in place. As GDPR Demands mandatory notification of data breaches within 72 hours.
“In the case of a personal data breach, the data controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the appropriate authorities of such breach”
If you are unsure whether or not your organization needs to be compliant with GDPR or are looking for guidance on best practices for implementation, contact Todd Jennings, firstname.lastname@example.org.