The General Data Protection Regulation, or GDPR, is a directive established by the European Union to protect individuals’ personal information. The regulation goes into force May 25, 2018, and it replaces the EU’s 1995 Data Protection Directive. While the 1995 directive applied only to organisations with a physical presence in Europe, the GDPR will apply to all organisations that collect or process the personal data of EU citizens or residents.
What are individuals’ data rights under GDPR?
Individuals — referred to as “data subjects” under the GDPR — will have greater control over their personal data under the regulation. The General Data Protection Regulation includes the following data subject rights:
Right to be forgotten. Data subjects can request personally identifiable data to be erased from a company’s storage.
Right of access. Data subjects can review the data that an organisation has stored about them.
Right to object. Data subjects can refuse permission for a company to use or process the subject’s personal data.
Right to rectification. Data subjects can expect inaccurate personal information to be corrected.
Right of portability. Data subjects can access the personal data that a company has about them and transfer it.
Under the right to be forgotten, organisations must be able to provide data to individuals in a commonly used format and delete this data within a month of a request from a data subject. These organisations must also be sure their internal procedures are able to handle these types of requests.
One exception under the right to be forgotten is the deletion of data that would compromise freedom of expression or the ability to conduct research. For example, politicians will not be able to demand that comments be deleted from a news website.
Organisations must allow people access to their own data and not prevent them from giving it to another organisation. A service provider, for example, will have to allow customers to transfer data to another service provider.
How will data breach notification and data collection consent rules change under the GDPR?
EU GDPR compliance requires organisations to deploy technologies designed to prevent data breaches, and it provides strict breach notification rules. If a data breach presents a serious risk to individuals, such as discrimination, damage to reputation, financial loss or loss of confidentiality, organisations must notify the relevant national supervisory authority and the individuals at risk. Organisations that don’t already have adequate systems and procedures for detecting, reporting and investigating data breaches will be required to deploy them to comply with GDPR rules.
Under the GDPR, organisations will be required to use plain language when requesting personal data, and they will have to provide information about how they process it. They must say who they are, why they are processing the data, who receives it and how long it will be stored. They must get the individual’s clear, affirmative consent to process the data.
Organisations should review the way in which they seek and record users’ consent, making sure their procedures account for data subjects’ rights under the GDPR. They should also review their privacy notices and make sure they explain the legal basis for processing personal data. If collecting information on children, they must consider whether they have adequate systems for verifying individuals’ ages and obtaining parental consent.
What specific measures does the GDPR require to protect personal data?
Article 32 of the GDPR requires organisations to deploy technical measures to ensure data security. The necessary technical measures and practices will vary, depending on the degree of risk that is present. Organisations are required to evaluate the risks that the personal data they process is subject to — the higher the risk the data faces, the greater the measures that must be taken to secure the data. For example, those that process data related to health, race, sexual orientation, religion and political beliefs will have to apply greater safeguards than those that process less personal data. Specific security measures are not spelled out in the regulation, but examples are provided.
The EU GDPR compliance regulations require organisations to keep records of their data-processing activity, and there is a heavy emphasis on maintaining documentation to demonstrate compliance. Records proving the organisation uses technology to continuously monitor data and evaluate vulnerabilities demonstrates an effort to comply.
Organisations that do not achieve EU GDPR compliance can be fined up to 20 million euros — about $23.6 million — or as much as 4% of annual revenue. It is expected that enforcement will initially focus on how well organisations comply with data breach requirements.
Will organisations have to name data protection officers to comply with the GDPR?
Public authorities and organisations that conduct large-scale, systematic, regular monitoring of individuals must designate data protection officers (DPOs) under the GDPR. The DPO is an enterprise security leadership role responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.
Organisations that conduct large-scale processing of special categories of data, including health records or criminal records, must designate a DPO, as well. Other organisations will have to name DPOs based on how much data they collect and whether data collection is done on a large scale.
Two examples of organisations that would have to designate DPOs are those that process personal data about genetics and health for a hospital, and those that process personal data to target advertising via search engines tracking users’ online behaviour. A general practitioner who collects data on patient health or a local store that sends clients an annual advertisement are examples of businesses that would not have to designate DPOs.
from Warwick Ashford – Computer Weekly