With the approval of the General Data Protection Regulation (GDPR) by the European parliament on April 14th, almost every company doing business in the member states of the European Union need to comply. (Great Britain and Denmark have negotiated several exceptions in justice and home affairs – the regulations will therefore be limited in those two states). For every other member country the regulation is now valid and its rules will take effect starting May 25th, 2018 – a little more than two years after being published in the EU Official Journal.
Since the GDPR is not a directive anymore but a regulation, there is no need for adoption into law – but several member states most likely will do it anyways– it is binding law in the participating member states. With the deadline set, every company should use the remaining time to check if their current data processing and data protection policies compliant with the new regulation.
What does the GDPR change?
One single regulation for all of Europe (and global companies working with European firms).
The improvements or disadvantages of this new regulation are highly dependent on the country in which your company is located. Almost every European or other western country already has data protection laws in their local jurisdiction. The most important reason why both the European council and the European parliament have worked on this regulation for four years is that they wanted to equalize the national laws of the member states into a multinational regulation on a single base. That’s what they have accomplished.
Stricter rules and higher fines
Regardless of what the fines were back in the old national laws, the ones included in the new GDPR regulation are really large. So high that if they are imposed on a small to medium sized firm they can be existence-threatening: Maximum fines can amount to 20 Million Euro (roughly $23 million US dollars) or 4 % of the enterprise worldwide turnover. So it makes sense to comply with the new rules.
New scopes of data protection implemented in GDPR for companies
Data governance and accountability
This is the most important part of the regulation which places numerous obligations on controllers (both internal and federal supervisors) and processors to comply with the GDPR. Some of those obligations already exist in German and French law, but not in all member states. Therefore they have to be introduced. There is one item new to all:
Privacy by design (Art.25)
Companies should adopt internal policies and implement technical and organizational measures that provide only personal data which is necessary for each specific purpose. Additionally, the measurements taken by the controller/company should cover the amount of data collected, the extent of its processing, the period of storage and its accessibility.
Lastly, the data is not to be made accessible to other persons that are not involved in the process or in a project!
Personal data breaches
The GDPR introduces new timeframes for informing the national supervising authorities about a data breach. With the GDPR, authorities need to be informed within 72 hours. Additionally, the firms GDPR controller has to maintain a personal data breach register.
Data subjects rights
In article 12, 15 to 23 the rights of the so-called data subjects are established. Now the person who wants a company to not use his personal data has the “right to be forgotten”: He can order the firms to erase the personal data in certain circumstances and if the data has been made public, the firms must take reasonable steps to inform controllers that are processing the data that the data subject has requested its erasure of any links to, copies or replication of it. This action must be taken by the controller within 1 month of a request or if it is a complex matter in 3 months.
8 things you should be doing now to prepare for GDPR
This – incomplete – list clearly shows that companies face a lot of work to comply with the new rules. Following these eight important tips will get them started:
- Prepare for privacy violations:Set clear guidelines and well-controlled methods in place to ensure that you quickly respond to data breaches and – where necessary – inform promptly.
- Establishing a framework for accountability: Make sure that you have a clear policy to prove that you meet the necessary new standards. Establish a safe culture of monitoring, inspection and judgment processing procedures to minimize data storage, data processing as well as protective measures.
- Analyze the legal basis in which you use personal data: Consider what data processing you perform and check the legal basis for the use of personal data. You may not need to have approval of an individual person to use his data if you have a legitimate reason for processing it, but you have to check. If you need approval, check if your approval documents are appropriate, whether the consent is given voluntarily and if your information about the process is precise and clearly understandable.
- Think about the rights of data “subjects”: Be prepared for individuals to demand their rights under the new GDPR (e.g. the right to be forgotten, data deletion and data portability). If you store personal data, follow the legalities for storing personal data.
- If you are a data provider, check if there are new obligations: GDPR includes some obligations on data providers that need to be understood and integrated into your policies, procedures and contracts. Check if your documentation is sufficient and, under existing contracts, who will bear the additional costs of the services caused by the new rules. If you receive data processing services from a third party, it is very important to determine and document their respective tasks.
- Cross-border data transfers: As with all international data transfers – Including intra-group transfers – it is very important to ensure they have the legal basis to transfer personal data in a country that may not have a sufficient data protection rules. This is not a new problem, but with the GDPR, it could result in a fine up to 4% of the worldwide turnover.
Several parts of the new regulation require firms to not only safely store data but also securely delete it either by request of the data subject or by law in a very tight timeframe. For this purpose it is wise to use a specialized data erasure solution which can both delete the files for good as well as to verify the erasure process with a certificate. For more information on secure data erasure please consult: https://www.ontrack.com/products/data-erasure/.
For more information about GDPR read our other articles on this topic or consult the official site of the EU parliament on this matter…
Author: Michael Nuncic
Picture Copyright: Martin Moritz / pixelio.de