The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a new set of guidelines by which the European Parliament, European Council and European Commission, intend to strengthen and unify data protection for individuals within the European Union (EU). The regulation is currently in a two-year transition period and will officially be enacted 25 May 2018.
The GDPR applies to all 28 EU member states and their citizens’ personal data, whether it is collected, stored or processed inside or outside of the EU. The regulation’s primary objectives are to strengthen citizens’ control of their personal data, and to simplify the regulatory environment for international business by standardizing personal information governance across the EU.
Under the new regulation, EU citizens will gain several rights concerning their personal data, and companies will face stronger restrictions on how they use and access that information. Below are the key changes that will result from the GDPR:
1. STRICTER DEFINITION OF PERSONAL DATA
The current definition of personal data is broad and blankets many different types of information. For example, an organization could be handling “personal information” by tracking and storing an individual’s IP address. After the GDPR goes into effect, organizations must explicitly define all types of personal data they collect and store.
2. ENHANCED RIGHTS FOR INDIVIDUALS
Under the GDPR, individuals will have more rights regarding their personal information, including:
- The right to “be forgotten”. Anyone can ask to have personal data be removed or deleted from an organization’s records and systems
- The right to “data portability”, meaning the ability to download stored personal information in a machine-readable format and / or the ability to request personal data be shared with another organization
- The right to have inaccurate data corrected
3. THE PRINCIPLE OF DATA MINIMIZATION
The GDPR will require organizations to collect the smallest possible amount of data and store that data for the shortest possible period of time. Once the personal data has served its purpose, organizations will be required to delete it as quickly as possible. These rules are particularly relevant for marketing departments which typically gather and store large volumes of customer data to support targeting and outreach efforts.
4. STRICTER CONSENT RULES
Under the new regulation, organizations will be required to obtain explicit and informed consent from individuals before their data may be processed or stored. Additionally, consent cannot be assumed in any way. For example, an individual’s inaction or failure to answer certain questions cannot be construed as consent. All questions asking an individual to grant an organization permission to access, process or store personal information must be clearly presented. Furthermore, once obtained, consent should be stored within the organization for future reference.
5. DATA BREACH NOTIFICATION
The GDPR will require organizations to report a data breach to the proper authorities and to all affected individuals within 72 hours of the incident. Any data security issue must be promptly analyzed, closely monitored and reported to authorities who can help impacted individuals mitigate the risks associated with the breach of their personal data. Attacks on personal data happen often, even to prominent organizations; thus, it is critical to prepare an official response plan that will help you swiftly address the issue. A good example of a prominent organization whose personal data recently underwent a cyber-attack can be found here.
6. INCREASED ACCOUNTABILITY
The GDPR will contain several new governance rules, including the requirement for organizations to appoint a Data Protection Officer (DPO). The DPO will be responsible for conducting routine privacy impact assessments for his / her company. The DPO will also be required to alert the proper authorities and all affected individuals in the event of a data breach.
7. SUBSTANTIAL FINES
Failure to comply with the new regulations could result in severe penalties. Fines for violating terms of the GDPR can amount to €20 million or 4% of an organization’s annual global revenue - whichever is greater.