openclose

GDPR Basics: What you Need to Know to Ensure Compliance

All postsarrow
GDPR Basics: What you Need to Know to Ensure Compliance

The General Data Protection Regulation (GDPR) is a single law in the European Union that will have a great impact on all multi-national companies that do business in the EU. The GDPR will be in effect on May 25th, 2018, and most companies must begin preparations now in order to meet the requirements by its implementation.

What You’ll Read in this Article

  • A breakdown of the GDPR basics
  • Understanding the rights of EU citizens
  • Impact on all multinational companies
  • Penalties and sanctions for non-compliance
  • How to ensure your company is compliant

 

What is the GDPR?

The GDPR is a European Union law that will have dramatic effects on multinational companies around the globe including the United States. It will hold companies accountable for the personal data they retain concerning any citizen in the European Union, whether they are an employee, customer, or business partner.  According to the Information Commissioner's Office, (ICO) which is the “UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals”, there are eight rights the GDPR extends to all EU citizens, and they are:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling.

The full source of the rules can be found on the Official Journal of the European Union.

 

Defining Personal Data

In order to fully understand the vast scope of the GDPR we should first define “personal data”. Under the GDPR, “personal data” includes any piece of information that could be used to identify anyone including: an IP address, HR records, location, contact details, and even pseudonymised or key coded information can be considered “personal data”.

 

Transparency

The purpose of the GDPR is to protect EU citizens from data breaches, increase consumer trust and safety, and create transparent accountability measures. Data must be provided in a clear, concise, transparent, and easily accessible language, especially if addressed to a child, and it must be provided at no cost. Everyone will have access to their own data under the GDPR and should receive confirmation if their data is being processed, and will also be legally allowed to take their data with them once their business has ended with the company.

 

Data Mapping

The GDPR requires a company to quickly and accurately be able to answer these questions about a person’s data:

  •       Where that data is being stored
  •       Why the personal data is being processed
  •       What is the length of time the data will be stored
  •       Where the company or controller collected the data
  •       Where the data goes when it leaves your organization
  •       What information is included

The GDPR is more restrictive than any other previous legislation in the European Union because it places the accountability on the company. It requires companies to show how they are in compliance, not just report that they are in compliance.

 

Consent

Consent will also be a requirement under the GDPR. Clear consent must be given in order for a company to begin processing someone’s data. Consent can no longer be assumed by silence, pre-selected boxes, or inactivity, and it must be separate from other terms and conditions.

 

Data Protection Officers

If your company meets the following requirements you could be required to appoint a Data Protection Officer (DPO):

  • Are a public authority (except for courts acting in their judicial capacity);
  • Carry out large scale systematic monitoring of individuals (for example, online behavior tracking); or
  • Carry out large scale processing of special categories of data or data relating to criminal convictions and offences.

The DPO will be responsible for ensuring the company is in compliance with GDPR. They must report to the highest management level in the organization, and should operate independently and not dismissed or reported for completing their assigned tasks.

 

Penalties and Sanctions for Non-compliance

The penalties for failing to comply with GDPR rules are steep. Sanctions differ based on which articles of the law are infringed upon. Companies failing to comply with the following provisions will be imposed a fine of up to 10M EUR (or up to 2% of the total worldwide annual revenue of the preceding financial year)

  • the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43
  • the obligations of the certification body pursuant to Articles 42 and 43
  • the obligations of the monitoring body pursuant to Article 41(4)

 

Companies failing to comply with the following provisions will be imposed a fine of up to 20M EUR (up to 4% of the total worldwide annual revenue of the preceding financial year)

  • the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9
  • the data subjects' rights pursuant to Articles 12 to 22
  • the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49
  • any obligations pursuant to Member State law adopted under Chapter IX
  • non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1)

View the full list of conditions for imposing admistrative fines.

 

Ensuring Compliance

The deadline for GDPR compliance is only a few months away. With its strict guidelines and serious consequences, it is paramount for companies that have any personal data concerning an individual living in the European Union, to be setting policies and processes in place that will align with the new regulations.

The wide-ranging requirements of the GDPR in a compressed time period for implementation presents challenges for organizations. LogicGate is helping companies meet GDPR compliance requirements by centralizing and automating all of the new processes that now need to be executed to achieve compliance – as well as enhancing existing manual processes such as third-party risk management that now must incorporate privacy impact assessments.

 

 

arrowAll posts

Related Posts

View all postsarrow