On April 8, 2016, the EU adopted its General Data Protection Regulation (GDPR). These new rules went into effect on May 25, 2018. They are applicable in all EU member states and do not call for national legislation to make them valid. What does this mean for you and why is it important?
What Does GDPR Require?
Any organization which processes data has direct and significant obligations under GDPR. These data processor rules include (but are not limited to) the following requirements:
- Keep a written record of processing activities carried out. There must be one record maintained on behalf of each controller of data collected.
- Name a data protection officer where required.
- Appoint a representative (when not established in the EU) in certain circumstances.
- Notify the data controller immediately when becoming aware of a personal data breach.
Data processors now have a new status. This will impact the handling of data protection matters in other commercial agreements.
Data controllers must continue to provide transparent information to data subjects. For example, if the information gathered is going to be used for marketing purposes, the subject should have the right to object. So, the data controller must immediately share this when gathering the data. Of course, no one can take personal data without permission. Consent must be freely given, specific, informed, and unambiguous. It must also be as easy to withdraw as it is to give. If the data subject has no genuine and free choice, that is not consent. Or, if they are unable to withdraw or refuse consent without repercussions? Fun fact: not consent. (Valuable life lesson, folks). Consent must be explicit for sensitive data. The data controller must also be able to prove that the subject did, indeed, give consent.
What Do I Need to Do to Comply with GDPR?
Given the complexity of GDPR, your response plan needs to be multi-dimensional. The first step is asking yourself the classic trio of data security questions:
- Do you know all the personal data you have? This includes your customers, employees, contractors, patients, suppliers, and the like.
- Where is this data stored and used? You need to have a deep understanding of where your data lives in transit and at rest. Be aware of whether it’s in the cloud, on separate hard drives, or backup tapes. And do not forget the mandate to have user consent on sharing that data!
- How will you protect this data? Your applications, databases, and networks are complex. They all need multi-layer security measures in place to safeguard personal data. Knowing exactly what your organization needs is an in-depth discovery process. It can’t be a one size fits all fix. But, it is very important.
Answering these questions will give you a high-level view of what you need to do to comply with GDPR. Conduct assessments on the potential impact of implementing these necessary changes. Also, include a consent management strategy and a plan to handle data access requests. Unfortunately, you should also prepare for the worst. Assess the possible impact of privacy violation. Better yet, include your legal team in the loop. Better still, make strong choices that ensure you never need them.