FAQs about GDPR
On May 25, 2018, the General Data Protection Regulation (GDPR) will go into effect, replacing the Data Protection Directive from 1995. This is the largest data protection legislation in the last 20 years. The new regulation addresses the export control of personal data of the European Union’s (EU) citizens and how businesses use this data. The purpose of the regulation is to strengthen and unify data protection for individuals within the EU by allowing them to withdraw consent at any time- a major change from the original regulation in 1995. It is important to understand the scope of this regulation as this protection of privacy comes with a complex set of impacts for businesses.
Who Does This Affect?
This regulation affects not only organizations inside the EU, but also those organizations based outside of the EU. “Outside the EU” extends to cloud – based processing companies, any companies that provide goods or services to the EU, and those businesses that handle private data of EU citizens.
What “Data” Does GDPR Apply to?
Data can be defined as personal data and / or sensitive personal data, a broader definition than in the 1995 Directive where data was defined as information revealing genetic and biometric attributes of an individual. Note, however, that the restrictions applied by GDPR do not cover data that is rendered anonymous in such a way individuals cannot be identified from the data.
What Is It About?
The GDPR covers a broad swath of obligations including: requiring physical, logical, and business controls, assigning a GDPR DPO, implementing appropriate data protection policies & procedures, developing secure system configuration standards, developing data classification, retention, destruction standards, restricting access to data and data systems according to access control and privileges, and so on.
What Are the Other Major Changes?
DPOs. Articles 39 and 47 require any Data Protection Officer (DPO) to be responsible for the training of staff that are involved in processing operations and data related audit, inclusive of data protection training for those personnel that have regular access to personal data. The role of the DPO will take heightened importance as it is estimated that at least 75,000 DPO positions will be created globally under Article 37.
The European Data Protection Board. Along with the expansion of DPO roles, under Article 29, there will be an entirely new super – regulator in the form of the European Data Protection Board, which will include the head of each national DPA and the European Data Protection Supervisor or their respective representative. This entity will have the authority to issue guidance and will be empowered to resolve disputes among the national Data Protection Authorities (DPAs).
Impact Assessments. Security measures should match the risk of any potential data breach that results in harm to the data subjects, as referenced in Articles 32 and 33. In the event that there is a high-risk data processing activity proposed, an impact assessment must be conducted in consultation with the DPA.
Reporting Requirements. Organizations have 72 hours to report data breaches to the supervisory authority competent in accordance with Article 55 of the data breach. If the data breach is unlikely to result in a risk to the rights and freedoms of the data subjects, then reporting is not required.
What Is the Penalty for Non-Compliance?
Organizations in breach of the new policies under GDPR can be fined a maximum of up to 4% of the annual global turnover or 20 million Euros. For less serious infringements -typically breaches related to the controller and processor obligations- fines are set at up to 10 million Euros or 2% of the annual global turnover.
Most importantly, as the effective date for this regulation grows closer, it’s vital to understand how these requirements may map to changes in your organization’s cybersecurity program.