On May 25, 2018 the General Data Protection Regulation (GDPR) will replace the decades-old Data Protection Directive currently in place in the European Union (EU).
This is a big change and people have questions.
Well, we have answers. This guide covers everything you need to know about the GDPR and GDPR compliance without the confusing IT jargon.
What is the GDPR? What’s the Goal?
This GDPR will take the control of personal data out of company hands and back into the hands of its owner.
New requirements will help companies understand data privacy laws and will protect EU citizens from breaches.
How Do I Know If My Company Must Comply?
The GDPR outlines its scope very clearly to leave little room for mistakes. GDPR compliance is mandatory for companies that are:
- located outside of the EU but processing the personal data of EU residents
- located outside of the EU but collecting the personal data of EU residents
- residing in the EU and processing or collecting the personal data of EU residents
This Ovum report claims that two-thirds of businesses will have to rethink their strategy in Europe.
What Qualifies as “Personal Data”?
The new regulation takes a broad view, defining personal data as any public, private or professional information about an individual and all of which requires the same level of protection.
This includes, but is not limited to: name, home address, photos, bank details, email address, social media posts, medical information, IP address and RFID tags.
Are You Sure You're GDPR Compliant?
Failing to meet new GDPR standards can cost your company. Download this checklist outlining 9 things to do for GDPR compliance.Download the GDPR Compliance Checklist
Eight Key Changes of the GDPR
The pressure is on for companies to meet numerous new GDPR compliance standards.
And failing to comply can cost you. In fact, penalties can now reach £20M (this is new).
Don’t let a fine be your company’s ruin.
Read on for the key takeaways of the new directive and a short GDPR compliance checklist of changes you need to make for the safety of your company, staff and users:
1. Greater Authority and Applicability
The GDPR covers a broader jurisdiction than the previous directive.
As briefly stated above, GDPR compliance is mandatory for all companies that process or control the personal data of individuals in the EU.
(Even companies not specifically located in the EU must comply.)
2. Explicit Consent and Easier Withdrawal
The new policies strengthen the conditions for user consent.
To be GDPR-compliant, companies must request consent from users in an easy to understand way by using clear and plain language and the consent must be given explicitly.
Plus, it must be just as easy for a user to withdraw their consent as it was to give it.
3. The Right to Erasure
The previous directive had the “right to be forgotten”.
Building off of that, the right to erasure under the GDPR means that subjects have the ability to ask that their previously-collected or processed data be deleted.
If the subject withdraws their consent or the data is no longer required for its original purposes, they can ask that the data be erased permanently, and the company must comply.
4. The Right to Access
The right to access personal data encourages transparency between companies and data subjects.
A company must provide an inquiring individual with information regarding:
- What data of theirs is being processed
- How this data was acquired
- Where the data is being processed
- With whom the data is being shared
5. The Right to Data Portability
The right to data portability is another attempt at empowering the data subject.
With this, individuals have the right to transfer their personal data from one company to another without trouble.
One exception is data that’s sufficiently anonymized.
6. Privacy By Design and By Default
The GDPR calls for “privacy by design”.
The new regulation promotes data protection as something that’s prioritized from the start, as a default, rather than an afterthought.
For example, a company that is GDPR-compliant will minimize the amount of data in their possession by processing only what’s necessary to complete the task at hand.
And, after said task is complete, the company must destroy or anonymize any data that’s no longer needed.
7. More Stringent Breach Notifications
Data breach notification rules are more stringent under the GDPR.
Breaches must be reported to the Supervisory Authority of the affected states within 72 hours of discovery.
It only takes one data breach to put a company at risk for lawsuits, fines and reputation damage. Use this Data Theft Prevention Checklist to ensure your company’s valuable information is protected.
In certain situations, victim companies may be required to notify those whose data is affected by the breach.
Watch our GDPR Webinar
Watch as information security expert and CEO/Founder of AsTech Consulting, Greg Reber, explains the GDPR and how to be in compliance, plus key tips for dealing with a data breach.Watch the Webinar
8. Heightened Penalties
Penalties are greater under the new policy. Companies found not in compliance with the GDPR may be fined up to 4% of their annual revenue (or £20M, whichever is greater).
This could be detrimental to a company’s success. Oliver Wyman predicts that the EU could collect as much as £5 billion in fines in the first year.
It will be a challenge for companies to revamp old systems or implement entirely new ones to meet new standards.
For more details, the entire GDPR document is available here.