The resulting GDPR, approved by the EU Parliament in 2016, will completely replace the 1995 Data Protection Directive, increasing citizens’ control over their own data and giving EU member state regulators the power to prosecute well beyond the borders of the EU. The central provisions of GDPR focus on permissions and control. GDPR will replace our current Data Protection Act (DPA) and is designed to harmonise data protection legislation across Europe so that we all operate to the same standards.
Having just spent a great deal of quality time with attorneys, educating the legal community about the benefits of eDiscovery in the cloud, I noticed that there is still a proverbial elephant in the room—the European Union’s General Data Protection Regulation (GDPR). Next year, thousands of corporations will have to comply with a whole new set of data management rules prescribed by GDPR. While opinions and knowledge of the GDPR varied, three questions kept cropping up:
GDPR creates a unified set of laws and stricter regulations for EU citizen data processing, and it also specifies steep penalties for noncompliance. These penalties are in the form of administrative fines and can be imposed for any type of GDPR violation, including those that are purely procedural. Fines range from €10 million or 2% of global annual turnover to €20 million or 4% of global turnover.
The primary reasons for the new regulation are:
GDPR goes into effect on May 25, 2018—which leaves companies a year to prepare for drastic changes in how they handle the personal data of EU residents. Let’s explore what your organization can do to prepare for GDPR.
GDPR First Steps
Is your business subject to GDPR?
GDPR applies to a larger scope of organizations than did the Data Protection Directive (Directive 95/46/EC), its predecessor. Many businesses that were not subject to European privacy laws will, in fact, need to comply with GDPR. Here’s how to determine if you must comply:
GDPR applies to all organizations with a presence in the EU where personal data is processed during the performance of business activities—even a minimal footprint (such as having a single EU-based employee) suffices.
If a company without a physical presence in the EU is targeting EU residents to offer them goods and services, GDPR applies. “Targeting” includes using an EU language or currency, tailoring products to EU residents, or aggressive marketing within the EU. “Monitoring” is defined as tracking people online to create profiles or analyze and predict personal preferences, patterns of behavior, or attitudes.
Is your company required to have a Data Protection Officer (DPO)?
Different from a compliance officer or legal counsel, a DPO reports to the executive board and has the authority to monitor the company’s data processing. Organizations with 250 or more employees that handle sensitive data or criminal records must appoint a DPO. Organizations with fewer than 250 employees may or may not have to appoint a DPO, depending on whether they process sensitive data.
Are there processes in place to respond to requests to delete/amend/provide copies of data?
In addition to the rights prescribed by the Data Protection Directive—such as access to copies of data, the right to amend, and the right to restrict processing—GDPR also includes the right to online information erasure and the right to data portability (allowing people to transfer their data to another service provider). This means your company must develop thorough procedures to respond to these types of requests.
Does your company have an incident response plan that meets GDPR requirements?
GDPR includes a data-breach notification requirement. Data breaches are subject to a 72-hour notification of the supervisory authority if there’s a risk of harm to people. The affected data subjects also must be notified without “undue delay.”
What are your organization’s data transfer mechanisms?
If your company hasn’t determined how personal information is transferred from the EU, it’s a good time to examine your transfer mechanisms, as they are subject to administrative penalties. If your organization transfers data from the EU to the US, your options are:
It seems the common threads in all these requirements are the allocation of more resources for data protection and governance, and a more proactive approach to privacy and security.
Druva, the Cloud, and GDPR
Offering the only cloud-native data protection SaaS on the market, Druva solutions address compliance with regulations such as GDPR head-on using the power of the public cloud:
Druva blog content originally published on the GDPR Report
Obelisk Support consultant Alisha McKerron Heese provides some advice on how data processors can comply with upcoming GDPR legislation.
We are fast reaching the countdown phase for the General Data Protection Regulation (GDPR) which comes into effect in just over six months on 25th May 2018.
Preparing for GDPR is a complex process which requires far more than merely updating your processing agreements and fulfilling your contractual obligation. While the regulations stipulate that certain provisions be inserted in processing agreements (art. 28(3)), they do not stop at that. For the first time, statutory data protection requirements (which previously only applied to data controllers) will place direct obligations on you as well. This enables data subjects to enforce their rights directly against you. Non-compliance is also more severely punished, through significantly heavier fines. To be precise, under the current law, the maximum fine the Information Commissioner can impose is £50,000. Under GDPR, however, that fine can be anything up to 4% of an organisation’s annual worldwide turnover, or 20,000,000€, whichever is largest.
So, what are these new requirements and what steps should you take to ensure that you will be compliant from 25 May 2018?
Your processing agreements must be GDPR compliant. This means that you have agreed to:
More details here.
You must have determined if you are required to maintain written records of categories of processing activities (art. 30). This requirement originates from the accountability principle (art. 5), a re-occurring theme throughout GDPR which puts the onus on you to be responsible for, and to demonstrate compliance. Information which must be captured includes details of any other processors, your client’s details and those of Data Protection Officers (DPO), categories of processing, details of transfers to third countriesand a description of general technical and organizational security measures (art. 30 (2)). These records must be provided to the supervisory authority on request.
If you employ 250 employees or less, you will be excluded from this requirement provided that the processing does not pose a risk to the rights and freedoms of individuals, is not more than occasional, and does not include special category data.
Note: Special category data includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, and biometric data or data concerning healthor data concerning a natural person’s sex life or sexual orientation (art. 9(1)).
You must have appropriate security measures – referred to as appropriate technical and organisational measures (art. 32). If you are wondering what appropriate technical and organisational measures means, you are not the first. No definition is provided by the regulation, thereby putting the onus on you to decide. You must consider a variety of factors: the sensitivity of data, the risks to individuals associated with any security breach, the state of the art, the costs of implementation and nature of processing.
This requires you to have a comprehensive understanding of your systems and the type of data processed. While they can vary, appropriate measures include pseudonymisation and encryption of personal data. Regular testing of any security measures is also required where appropriate. This will enable you to detect any weaknesses and pick up any problems quickly which is particularly important in the event of a breach.
More details here. Asus zenfone max pro m2fxfasr.
You must be able to detect data breaches and notify the controller without undue delay upon becoming aware of a breach (art. 34). It may be in your interests to clarify in your processing agreement (if you have not already done so) when delay may be undue as this is not made clear in the regulation.
More details here.
You must have a DPO if required, although you may have one even if not required. A DPO is required if you are a public authority, if processing requires regular and systematic monitoring of data subjects on a large scale, or if your core activities consist of processing large scale special categories of personal data. A DPO’s primary role is to independently advise you on compliance with the GDPR, and they are the contact point for any data subjects and for the supervisory authority.
More details here.
You must have prior specific or general written authorisation from your client ifyou enlist another processor or replace a sub-processor (art. 28(2)). You must reflect the same contractual obligations you have with your client in a contract with any sub-processor and shall remain liable to your client for the action or inaction of any sub-processor.
You must ensure that you have appropriate safeguards for any transfers of personal data to a third country (in the absence of an adequacy decision) and that the data subjects have enforceable rights in that country with respect to the data. This is your decision to make, and is independent of any instructions from your client with regards to data processing.
More details here.
Making your processing agreement GDPR complaint is just the start. The steps outlined above are by no means an exhaustive list, but should hopefully assist you in your journey to becoming GDPR compliant. Not long to go before the clock stops ticking!