Is your company ready for one of the strictest data protection laws ever?
Failure to comply with the GDPR could leave companies vulnerable to stiff penalties.
The General Data Protection Regulation, also known as GDPR, was adopted by the European Parliament in April 2016. It is expected to replace the Data Protection Directive issued in 1995. Companies which are already compliant with the Directive must take extra steps to ensure that they are compliant with all of the new requirements of the GDPR before it goes into effect on May 25, 2018. Companies that fail to comply with the new GDPR regulations will be subject to stiff penalties and fines.
The main goal of the GDPR is to enforce a uniform data security law that protects the private and personal data of all EU members. With this law in place, every member state does not need to write its own data protection laws and laws remain consistent across the entire EU. It is also important to note that any company that sells goods or services to EU residents, whether that company resides in EU member states or not, is subject to the new regulation. As a result, the GDPR is expected to have a major impact on data protection requirements globally. Due to this requirement, all companies who must participate must take proper steps toward becoming complaint before the deadline of the GDPR.
Primary Privacy and Data Protection Requirements of the GDPR
- Require explicit consent of subjects for data processing as well clear notices for how data is used
- Anonymize data that is collected to protect customer privacy
- Provide data breach notifications in short order
- Safely handle the transfer of data across borders
- Appoint a data protection officer to oversee GDPR compliance (for certain companies)
According to the DigitalGuardian.com, the GDPR compliance checklist is as follows:
The GDPR contains 11 chapters and 91 articles. Some of the chapters and articles which have the greatest impact on security operations include: Articles 17 & 18, Articles 23 & 30, Articles 31 & 32, Articles 33 & 33a, Article 35, Articles 36 & 37, Article 45, and Article 79.
Under Corporate Governance, companies must especially pay attention to the following points:
- Record keeping (Article 30)
- Data Protection Officer (Article 37)
- Data Retention (Article 5)
- Privacy Impact Assessment (“PIA”) (Article 35)
- Employee training (Article 5)
- Policies and procedures (Article 5)
Privacy Notices (Articles 12 to 14)
- Privacy notice timelines
- Privacy notice required information
- Language/form of privacy notices
- Has the company established the legal basis on which grounds it processes all the different (nonsensitive) personal data that it holds? (Article 6)
- Has the company established the legal basis on which grounds it processes all the special categories of personal data (previously known as sensitive personal data) that it holds? (Article 9)
- Where the grounds for processing is consent (Article 7)
- Profiling (Article 22)
- Children (Article 8)
Data Subject Rights, Privacy by Design and Default (Article 25), Data processors and international transfers, Security and Breach notification.
The GDPR leaves much to be interpreted and different legal references apply different meanings to the new law. However, a primary governing point in the law states that companies must provide a “reasonable” level of protection for personal data, for example, although it does not define what constitutes “reasonable.” This gives the GDPR governing body a lot of scope when it comes to assessing fines for data breaches and non-compliance.
The best advice for companies to follow is to ensure all points from GDPR are appropriately applied before the deadline and that data collection and usage are in order and fully accounted for. Compliance with GDPR will ensure businesses benefit from both from avoiding fines and boosting customer data protection.