The new EU data protection regulation implicates compliance efforts for every organization worldwide handling personal data of individuals residing in the EU. Massive revenue-based sanctions will be imposed on companies that not fully adhere to GDPR by May 2018. Yet, most companies have no full overview of the challenges caused by the new law.
How serious is this topic for your organization?
Currently data protection of EU residents is based on a directive from the mid 90’. It could not keep pace with developments in privacy needs of the globalizing and digitalizing world. Hence a new regulation has been finalized in 2016 to harmonize the legal data privacy framework within the EU. It will enter into force in May 2018 when it will become legally binding and directly applicable across the EU.
Which companies and data are hit by GDPR?
The new law applies to natural persons residing in the EU in relation to processing of their personal data by data controllers and data processors. Regulation completely prohibits processing of data revealing personal ethnic origin, believes (political religious), health (biometric, genetic) and orientation.
GDPR applies to all companies processing data of the EU residents, regardless of the location of the company. Additionally, GDPR imposes a list of requirements not only on data controllers (commercially making use of the personal data, e.g. search engines or online stores) but also on data processors (handling of data on behalf of data controllers, e.g. cloud providers, shared service centers).
Personal data enables to identify the person or indirectly by reference to an identifier, such as: name, address, bank details, personal ID number, IP address, etc.
How does GDPR affect your company?
The following section will present a brief summary of the key changes of the new regime and their impact on organizations. For the exhaustive version refer directly to the regulation text.
The local supervising authorities will be put in charge to monitor the compliance with GDPR. They are allowed to conduct on-site data audits, issue public warnings and most importantly impose financial sanctions on companies not fully adhering to the new law. Fines are set to be as high as 4% on annual turnover of the entire business group or €20 million, whichever higher. Moreover, private claims for material and non-material damages will be simplified.
- Data protection by design and by default: companies must demonstrate an evidence that data security is embedded in products and services from the early development stage. Following security measures were mentioned as appropriate: data pseudonymisation or technical mechanisms ensuring by default that only necessary personal data are processed.
- Cooperation with supervising bodies: a data breach must be reported to a regulatory authority within 72 hours.
- Internal record keeping requirement: companies must keep an inventory of processed personal information along with documentation describing among others the purpose of processing.
- Data Protection Officers (DPO): appointment of DPO will be mandatory for companies which core activities are constituted by data processing that requires systematic monitoring of individuals on large scale or by processing of special categories of data.
- Data Protection Impact Assessments: prior to processing personal data, a data protection impact assessment must be conducted in order to identify high risks to privacy due to processing activities.
- Certification mechanism: data protection seals and certificates will be introduced for companies that want to demonstrate an evidence of GDPR compliance.
How will EU residents benefit from GDPR?
GDPR also gives EU residents more control over their personal data. The selection of those rights is presented in this section.
|Right to rectification||Individuals are allowed to request the change of incorrect data free of charge. In addition, incomplete, prohibited or irrelevant personal data must be deleted on demand of customers.|
|Right to portability||An individual has a right to request the transfer of own personal data from one organization to another. This provision is completely new to the data protection landscape.|
|Right to be forgotten||If a controller has no legal ground for processing the personal data, an individual has a right to request the erasure of own data.|
|Consent||Consent must be independent from other terms and conditions and can be withdrawn anytime by a data subject. Parental consent for children below the age of 16 is required.|
The data subject rights convey serious commercial and technical consequences for organizations. For instance, most of organizations are convinced that erasure of customer data will be a challenge. Yet, 60% of companies admit not to have a system enabling deleting of personal data on request. Hence, substantial investments are required to set up new procedures and adapt the existing IT functionality to comply with GDPR.
How can CAMELOT help?
One of the most stringent data protection laws in the world is about to come into force in the EU. Considering the wide scope of changes comparing to the current legal landscape and the massive sanctions, the compliance burden applies to almost every company serving EU residents.
Get in touch with us to learn how Camelot can help you close the GDPR compliance gap and lead you through the adaptation process from assessment to sustainability.
This post is also available in: German