Organizations that regularly perform international business transactions with European citizens will need to take note of the massive overhaul of data protection laws set forth by the newly adopted General Data Protection Regulation (GDPR).
What Is the General Data Protection Regulation?
Adopted in April 2016, the General Data Protection Regulation builds on the EU Data Protection Directive of 1995 (95/46/EC). The major changes enveloped in the GDPR relate to information security, data privacy and information governance.
Affected companies have received a grace period for full adoption and implementation of the GDPR until May 25, 2018.
Who Will Be Impacted by the GDPR?
Any company that regularly handles the personal data of European individuals—and most commonly those companies' controllers and processors—is subject to the GDPR implementation, reports the Information Age.
The controller is a company's authority who determines the purposes and means of processing a customer's personal data while the processor is the staff member who processes personal data on behalf of the controller; and further, on behalf of the company. These individuals—particularly the controller—serve as the primary gatekeepers of the collection and processing of personal data.
What Are the Key Components of the General Data Protection Regulation?
The General Data Protection Regulation has several components that require compliance and serve to protect vital customer data.
Regulations apply to any company, regardless of physical location throughout the world, to maintain compliance to protect European citizens' data.
Businesses must obtain each individual customer's consent to store and use their data. The organization must also fully explain any intended use they have for that data.
Mandatory Breach Notification
Companies must notify the appropriate authority within 72 hours of discovering a data security breach. The only exception occurs when it is unlikely that the breach will result in a risk to the rights and freedoms of consumers.
Right to Access
When customers have questions about the use of their personal data, organizations must provide that information via electronic records.
Right to Be Forgotten
While there is no way to completely erase online activity, this portion of the GDPR will at least make finding a user's online history accessible only by the most dedicated searchers, per the BBC. European customers may ask for certain pieces of their personal information to be removed from search engines. The general rule on granting such a request depends on whether "the impact on the individual's privacy is greater than the public's right to find it."
With data portability, individuals can transmit data from one controller to another. This particular regulation allows organizations to maintain data in a commonly used and easily accessible format to quickly and easily respond to European customers' information requests.
Privacy by Design
This regulation requires that all companies build security into any newly designed and built product used in the collection and storage of customer data.
Data Protection Officers (DPO)
Each company's data controller and processors must now appoint a Data Protection Officer (DPO)—whether a permanent staff member or someone retained through a professional staffing firm on a consulting basis—who will take charge in learning the in-depth requirements of the General Data Protection Regulation to ensure complete compliance. These information technology front-persons have a number of important responsibilities in relation to the GDPR, which include:
- Set reasonable and defendable retention periods for personal customer data.
- Authorize specific workflows that grant permission for data to be accessed.
- Define the parameters of how personal customer data is kept anonymous.
- Monitor these systems to ensure continuous protection of private customer data.
Non-Compliance Penalties Associated with the GDPR
Failure to comply can be costly for companies around the world with a penalty of €20 million or four percent of worldwide turnover for the preceding financial year, with multi-national organizations receiving treatment as single entities, according to The Register.
How Can You Start Your Efforts for Maximum GDPR Compliance?
There are some basic steps that you and your IT team can take to ensure GDPR compliance, including the following:
- Build your GDPR compliance team.
- Assess risks and create company-wide awareness on a regular basis.
- Design the necessary operational controls to fit the requirements of GDPR.
- Manage and enhance controls, as needed.
The most important thing you can do to get ahead of the May 25, 2018 compliance deadline is to make sure you and your team understand all the responsibilities involved with the General Data Protection Regulation to help better serve your European customers, avoid penalties, and to simply create a more secure system.
Find Help Building Your GDPR Implementation Team
If everyone on your IT team already has a full plate, or you simply want to work with someone with their finger on the pulse of the GDPR, ICS can help you find the right candidate or candidates to satisfy your needs. Contact us to tell us more about your compliance team needs.