What is GDPR of EU?
GDPR is General Data Protection Regulation which European Parliament, Council of the European Union, and European Commission are enrolling out. The aim is to strengthen and unify data protection in EU and personal data’s export outside of EU. When the regulation takes effect, it will replace the data protection directive issued in 1995. About time I’d say!
GDPR was adopted on 27th of April 2016 and doesn’t need to be enabled by additional legislation on a governmental level. It has a two-year transfer period before coming into force on 25th of May 2018.
Main objective of GDPR is to give control over personal data back to customers and to make regulatory environment simpler for international organizations working in and out of EU.
Terminology in Short
Getting lost when terminology isn’t familiar happens easily. Here is the list of main terms that will help you to understand GDPR better.
The regulation does not specify what is personal data stating that anything related to an individual is considered as personal data. For example, user name, address, photos, email, social media updates and IP address.
Data processor is who processes personal data on behalf of the customer. For example, marketing agency or a company that develops digital services for their customer.
Data controller is in charge of personal data registry. It can be a company, official, organization, institution or foundation. Data controller is legally responsible for the registry, its use and is the stakeholder to whom it was created. Controller has to, by law, create a registry description from which you know its use, data that is being collected, data sources, protection of registry, and contact information for the registry.
Data Protection Officer
Is responsible for IT security if organization’s core functions are handling sensitive personal information or handling large personal information databases. According to GDPR it is advised for every organization to have a person named for this role. His or her responsibilities are giving expert advice to personnel and management regarding IT security.
Data protection officer works as responsible for overseeing handling of personal data and be in contact with government officials such as data protection supervisor.
Data Balance Sheet
GDPR requires companies to document security measures when handling personal information. Documentation can be done in some other way than with data balance sheet but it is the recommended method already before GDPR is enforced.
Aim of the data balance sheet is to give an overview to handling of the data and evaluation of the current level of IT security and how it is handled. It tells that company is following best practises and works as one way to prove that you are complying with the regulations, which is required.
Data Subject Rights
With GDPR there is a change how data is handled and increasing individuals rights to their own data, being notified about breach, right to access and the right to be forgotten.
Notifying your customers of breach will be mandatory within time limit of 72 hours since becoming aware of the breach. However, breach notification is valid for when it risks their freedom or rights.
Right to Access
Everybody will get right to access the data that has been collected by businesses regardless if this data is personal or not. You, as a company, must provide a free copy of all personal data to the individual in electronic format. This will enforce a drastic change to more transparent data handling and giving more access to individuals whose data is being collected.
Right to be Forgotten
Customers will get the right to request the erasing of your data from you and it will go all the way to 3rd parties as well. When this is requested it requires controllers to compare person’s rights to “the public interest in the availability of the data” when considering the request.
Customers have the right to receive personal data in a usable format and machine-readable format. They also have right to transfer the data to another controller.
Privacy by Design
It is a concept that has existed for years but is now becoming a legal requirement with GDPR. It means that privacy has to be in the design of systems since the beginning instead of later or as an addition. When creating a new system, it has to immediately comply with the privacy requirements of GDPR.
GDPR extends EU data protection law to all companies who are processing data of EU residents. This might seem a hassle in the beginning but having one universal rule throughout EU will in the long run end up costing less.
EU has the power for following sanctions in the event of data breach:
- An official warning in cases of first and non-intentional non-compliance
- Regular data protection audits
- Fine up to 1 000 000 EUR or up to 2% annual worldwide turnover in the preceding financial year, whichever is greater
- Fine up to 2 000 000 EUR or up to 4% annual worldwide turnover in the preceding financial year, whichever is greater
These penalties are hefty and will ensure that the regulation is followed. In general, this brings forth the age of digitalization to legislations.
Implications for Customers
What does this mean for customers in short?
- Right to be informed in case there is a breach of privacy within 72 hours since it has happened.
- Right of access for data collected by companies.
- Right of rectification means getting personal data that is inaccurate and correct this data.
- Right to erasure of data when customers request it.
- Right to restrict processing when one of the following applies: confirming accuracy of data, processing is unlawful, controller no longer needs the data for processing.
- Right to data portability to transfer personal data to another controller or getting it for themselves.
- Right to object processing of data relating to customers at any time. Controller can only process data if there are compelling legitimate grounds which override the interest, rights and freedoms of the data subject. Customers can also request their data not to be processed for direct marketing purposes.
- Rights in relation to automated decision making and profiling which means that customers have the right to request for their data not to be subject for automated processing, profiling, which produces legal effects concerning them.
Implications to your Business
Penalties are heavy and Consult Hyperion forecasts that European financial institutions could face fines totalling 4.7bn euros in the first three years of GDPR. It also provides the possibility of companies to showcase how they respect individuals privacy and gain competitive edge over ones that aren’t handling the new regulation so well.
For marketing technology vendors GDPR will be a tough one when they have to change their feature development to privacy development to comply with the regulation. There is a high chance a lot of them won’t survive this change.
One of the issues raised by GDPR is that it isn’t anymore enough to secure data in silos within an organization. This is because data can “leak” to other areas where it is less secure. For example, when you are using additional software for marketing which requires information to function.
How to Get Ready
General Data Protection Regulation will change IT security and privacy in a fundamental way. Requiring companies to pay much more attention to it. In many companies this will require a lot of work to achieve regulatory levels by the time it becomes valid.
Following tasks need to be done in every company:
- Map out the current situation of data handling and processing.
- List personal data registries and/or databases.
- Update processes to match regulations.
- Ask customers for permission to process their personal data.
- Name a Data Controller.
- Check contracts with customers, service providers, and subcontractors to ensure their personal data handling is according to GDPR.
- Document privacy handling and processes.
- Create a data balance sheet.
A daunting task list for sure, so better get started to be ready for May 2018. According to Gartner report about DCAP (data-centric audit and protection), at the moment there are only two vendors (in the report) that meet the full criteria.
I hope this article helped you to gain some understanding and/or new insight to general data protection regulation that is coming to EU. You can read more about GDPR at www.eugdpr.org.
Updates from GDPR seminar of Nebula
A lot of the following updates are about regarding Finland specifically since it was a breakfast event in Finland. I will try to keep this article updated and the followings are notes from the event. I separated them as they are regarding Finland especially.
In Finland GDPR is handled by appointed committee which is for example handling patient data and how it should be handled within GDPR.
There isn’t a direct mention about data management platforms and how you can use them when GDPR goes live. However, a lot will depend on how “hashed” the data is. You have to be sure the information is not possible to return in a way that it can be connected back to same individuals.
Who will be the appointed official is still unclear but it seems that each country will have one individual appointed to the role. Around this role will be created an office and given resources it needs.
During fall 2017 the GDPR will be handled by the government of Finland.
In recruitment there is a lot of information which is unwanted or not needed for hiring process. It will most likely be handled that applicants are responsible for what data they are telling about themselves to the company. Also, how long you can store the information. This will most likely get updated rules.
Limiting the time companies can store information which is currently regulated with separate instructions depending the field. It is unsure if there will be changes to it so safest is to go with how your industry is regulated currently.
Persons right to be forgotten – accounting books must be kept because of legal reasons for 10 years. Doubtful this will see a change. Otherwise the company that gets the request must inform third parties to delete this person’s data.
The agreement to collecting information have to be presented when asked and permission can be gathered from any person who is over 16 years of age. In gaming industry this regulation can prove to be challenging and some kids play with their parent’s phone. Is the parent held accountable or is the parent gibing a right as its their device?
Data protection officer have to be chosen when you are government organization, handling large amounts of personal data, handling sensitive personal data or criminal registry.