Disclaimer: I am not a lawyer and this article is based on my own research and interpretation of the General Data Protection Regulation (GDPR) and e-Privacy Regulation.
GDPR Overview
General Data Protection Regulation (GDPR) will come into effect on May 25th, 2018.
The GDPR imposes new rules on organizations in the European Union (EU) and those that offer goods and services to people in the EU, or that collect and analyze data tied to EU residents, no matter where they are located.
- Enhanced personal privacy rights;
- Increased duty for protecting data;
- andatory breach reporting;
- Significant penalties for non-compliance;
GDPR clarifies where responsibility for privacy protection lies with any companies who collect, store, manage, process and analyze any form of Personal Data. Applies to any organization (including those outside the EU) that holds or processes data from EU residents.
It repeals the current Data Protection Directive (DPD) 95/46/EC, but complements the recently introduced NIS directive 1148/2016.
It consists of 99 articles and 173 recitals and breaches could lead to fines:
- Major breaches – up to €20 million or 4% of global annual turnover;
- Less important breaches – up to €10 million or 2% of global annual turnover;
Internal GDPR stakeholders
- Legal (covering both EU & local law);
- Organizational (governance & management);
- Procedural (operations, policies & procedures);
- Technical (IT & technology investments);
- Involvement is also needed from all other departments: HR, Marketing, Financial, Customer Service, etc.
New items contained within GDPR
- Mandatory data breach notification (72 hours) ;
- Semi-mandatory DPO (Data Protection Officer);
- Explicit and implicit consent;
- Data minimization & pseudonymization;
- Mandatory DPIAs (Data Protection Impact Assessments);
- Privacy notices – more robust, concise, transparent and accessible;
- They must explain personal data processed, purpose of processing, intended retention, subject rights, source of data, conditions of processing;
- New additions to personal data definitions: Online identifiers, device identifiers, cookie IDs, IP addresses, pseudonymized data, sensitive data now includes genetic and biometric data as well;
Digital media/marketing gets impacted
- Collecting personal data from users/customers;
- Email marketing – validating consent and data sources;
- User data – applying the “right to be forgotten”;
- Respecting browser cookie policies;
- The need for explicit consent being granted beforehand;
- Monitoring users through behavior tracking tools needs to be clearly and obviously stated;
Explicit consent
“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
You can process data without consent if it’s necessary for:
- A contract with the individual;
- Compliance with a legal obligation;
- Vital interests;
- A public task;
- Legitimate business interests;
- Anything else needs explicit, unambiguous consent to be granted;
- Demonstrable by a statement or clear affirmative action;
- Silence or pre-ticked “I agree” boxes are not explicit consent!
Key changes needed for GDPR
A. Personal Privacy
Individuals have the right to:
- Access their personal data;
- Correct errors in their personal data;
- Erase their personal data;
- Object to processing of their personal data;
- Export personal data.
B. Controls and Notifications
Organizations will need to:
- Protect personal data using appropriate security;
- Notify authorities of data breaches within 72 hours;
- Obtain appropriate consents before processing data;
- Keep records detailing data processing;
C. Transparent Policies
Organizations are required to:
- Provide clear notice of data collection;
- Outline processing purposes and use cases;
- Define data retention and deletion policies;
D. IT and Training
Organizations will need to:
- Train privacy personnel & employee;
- Audit and update data policies;
- Employ a Data Protection Officer (recommended);
- Create & manage compliant vendor contracts;
Keep your process simple.
1. Discover
Any data that helps you identify a person.
- Name, email address, social media posts, location.
- Medical information, physical, physiological, or genetic information.
- Bank details, IP address, cookies, cultural identity.
- Identify where personal data is collected and stored.
- Emails, documents, databases, removable media.
- Letters, contracts, employee HR data.
- CRMs, ERPs, file shares.
- Metadata, log files, backups.
2. Manage
Defining policies, roles and responsibilities for the management and use of personal data.
- At rest, in process, in transit.
- Storing, recovery.
- Archiving, retaining, disposal.
- Organizing, classifying and labeling data to ensure proper handling.
- Types, sensitivity, context / use.
- Ownership, custodians, administrators, users.
3. Protect
Protecting your data through appropriate security.
- Physical datacenter protection, network security, storage security
- Identity management, access control, encryption
- Compute security, risk mitigation
- Monitoring for and detecting system intrusions
- System monitoring, disaster recovery
- Breach identification, notifying DPA & customers
- Calculating impact, planned response
4. Report
Enterprises will need to record the following info:
- Purposes of processing, classifications of personal data.
- Third-parties with access to the data, data retention times.
- Organizational and technical security measures.
- Implement reporting capabilities.
- Cloud services (processor) documentation, audit logs.
- Breach notifications, handling data subject requests.
- Governance reporting, compliance reviews.
Resources
GDPR website: http://www.eugdpr.org/
GDPR key changes: http://www.eugdpr.org/key-changes.html
Full GDPR text: http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf
Browsable GDPR tex: http://www.privacy-regulation.eu/en/index.html
ANSPDCP: http://www.dataprotection.ro
