Are you ready for the EU’s new General Data Protection Regulation?
The EU will implement the General Data Protection Regulation in 2018 to protect EU residents’ privacy. Is your organization ready for this new legislation?*
Time to get ready
The General Data Protection Regulation (GDPR) was released in 2016 and the law will come into effect on 25 May 2018. It will replace the older Data Protection Directive 95/46/EC to become the single all-encompassing privacy protection regulation in the EU. The GDPR will apply to any organization, even those outside of the EU, that controls or processes data of EU residents. This essentially makes the GDPR a global law — and international organizations must pay attention if they wish to avoid being caught by the new rules and potentially suffer heavy financial penalties.
Time to change
For a long time, organizations have adopted ad hoc and voluntary data protection measures, which have resulted in large discrepancies over their ability to protect privacy. Despite the best efforts of regulators and privacy commissions to push for better privacy protection, such as through Privacy by Design (PbD), it is often an afterthought bolted onto information security programs.
Too many organizations have been content to meet minimal compliance obligations without taking responsibility for protecting customers’ and employees’ information. The GDPR changes all this and makes it clear where responsibility for privacy protection lies — in the hands of those who collect, store, analyze and manage data.
Twelve big changes
1. EU residents will gain more control of their personal data
Individuals will have stronger rights over their personal data, including being able to transfer it to other service providers, and even demand their data is deleted. Organizations must provide EU residents with clear information on how data is processed and will need to obtain their explicit consent to process it.
2. Everyone has to follow the same rules
All organizations that process EU residents’ data, regardless of whether they are established in the EU, will be bound by these new rules.
3. Companies will report to one supervising authority
Currently, organizations report to a data protection authority in each of the 28 EU member states. The GDPR will streamline this by creating one overarching supervising authority, helping to reduce reporting costs.
4. More companies will need a data protection officer
Companies conducting large-scale processing, or processing of certain types of data as part of their fundamental business activities, will be required to appoint a data protection officer. This data could include race, ethnicity, orientation, health, political opinions or any other information that may identify an individual.
5. Rules advocate a risk-based approach
Instead of a one-size-fits-all solution, companies must use a risk-based approach that tailors privacy protection programs according to their greatest threats. This will include a privacy impact assessment (PIA) for every identified risk, and their associated systems and processes.
6. PbD becomes an enshrined requirement
Despite being the international gold standard for privacy protection, very few organizations have adopted PbD. The GDPR requires them to design policies, procedures and systems that follow PbD principles at the outset of every product or process development.
7. Companies have 72 hours to report a breach
Currently, companies have to adhere to the rules of each EU member state over data breach notifications. The GDPR will streamline the notification process by reporting to a supervising authority. Notifications must include the nature of the breach, who has been affected, the potential impacts and the steps taken to address the problem.
8. Fines for violations are substantially higher
Companies that violate the basic processing principles of the GDPR could face a maximum fine equivalent to 4% of the organization’s global annual revenues, which could cost multinational corporations hundreds of millions of US dollars.
9. Security is tied to risk
Companies will be required to implement security measures that balance the newest technology with the cost of implementation. These must reflect the severity and likelihood of risks to an individual’s rights and freedoms.
10. The definition of “consent” has been significantly restricted
Consent must be “freely given, specific, informed and unambiguous.” Specifically, the GDPR requires the data subject to signal agreement by “a statement or a clear affirmative action.” There are also new restrictions on the ability of children to consent to data processing without parental authorization.
11. Cross-border transfers are allowed, under certain conditions
The GDPR allows data transfers to countries that provide “adequate” levels of personal data protection. Transfers to non-EU states without an adequate level of personal protection are also permitted, provided they use other methods that guarantee data protection — such as standard contractual clauses or binding corporate rules (BCRs).
12. The restrictions on “profiling” are more narrow than proposed
Under Article 4(3aa), data processing may be characterized as “profiling” when it involves the automated processing of personal data; and (b) using that personal data to evaluate certain personal aspects relating to a natural person. This definition implicitly excludes data processing that is not automated.
Better safe than sorry