Generally regarded as the most far-reaching privacy legislation in the world, GDPR grants rights to people in the EU regarding their personal data. Due to its extra-territorial scope, this also affects organizations outside the EU. The GDPR expands the privacy rights of EU individuals and places new obligations on all organizations that market, track or handle EU personal data.
If you have customers in the EU and you’re looking to attract more, GDPR applies to you – regardless of where your organization’s headquarters are located. Organizations of all sizes across the globe have spent the past several months preparing for GDPR’s compliance deadline. While the May 25 date has come and gone, compliance with GDPR is an ongoing responsibility.
To help you better understand and remain compliant with GDPR, here are the key points.
Increased Reach and Substantive Fine
Wider Territorial Reach
GDPR is applicable to data controllers and data processors (A) established in the EU or (B) located anywhere in the world when processing personal data in connection with the offering of goods/services or monitoring behavior of data subjects in the EU. The trigger is presence “in the EU” – data subject citizenship or residency is irrelevant.
Maximum fine between 2 percent and 4 percent of annual global revenue for egregious mishandling of personal data.
Companies are accountable under the data protection authority (DPA) of the country of their main establishment in the EU (in cooperation with other relevant DPAs).
Strengthening Individual Rights
Depending on the product or service and data involved, data subjects have a right to request the data that they supplied to data controllers to be given to them in a commonly used electronic format so they can easily change service providers.
Adoption of a more active, informed consent-based model set forth as one possible way to support lawful processing of personal data. Consent must be fully informed, freely given, revocable at any time, and provision of goods or services cannot be contingent on consent. Thus, true consent has become increasingly difficult to obtain, leaving businesses to rely on other legal basis for processing, such as legitimate interest.
Right to Erasure
Allows individuals the right to request the deletion of their data relating to them if there are no legitimate grounds for retaining it.
Increased Company Obligations and Accountability
Data Protection Impact Assessments
When dealing with high-risk data sets, companies are now required to conduct (and document) a data protection impact assessment (DPIA). The DPIA evaluates the potential risk and impact the personal data processing activities may have on the data subject’s fundamental rights and freedoms and appropriately manage that risk. In some cases, consultation with the relevant DPA is also recommended and may even be required.
Privacy by Design/Default
Privacy issues must be considered and addressed at the design phase of product and system development (not post launch). Privacy protective functionality to appropriately limit data collection, processing, retention and access must be designed into data-driven technology. And – to the extent privacy options are available – the default setting should be the more privacy-protective option.
Risk-based breach notification requirements are outlined in the GDPR. Data controllers must notify: (A) relevant Data Protection Authorities (DPAs) within 72 hours unless the breach is unlikely to result in a risk to the rights and freedoms of the natural persons; and (B) impacted data subjects without undue delay when a high risk to rights and freedoms is likely. If a data processor is involved and uncovers a breach, it must notify affected data controllers without undue delay.
Data Processor’s Liability
Processors are directly accountable for compliance with data protection laws. Data controllers are also liable for any misconduct of the data processors they selected, unless they can prove they were not in any way at fault.
Data Protection Officer (DPO)
Companies should appoint a Data Protection Officer (DPO) and a team that is responsible and accountable for data protection. In some cases, depending on the sensitivity and scale of personal data being processed, appointing a DPO is mandatory.
The New Era of GDP and Its Impact
GDPR will strengthen the protection of personal data in light of rapid technological developments, increased globalization and more complex international flows of personal data. It updates and replaces the patchwork of national data protection laws currently in place with a single set of rules, directly enforceable in each EU member state.
The GDPR regulates the processing of data for EU individuals, which includes collection, storage, transfer, or use. Any organization that processes personal data of EU individuals is within the scope of the law, regardless of whether the organization has a physical presence in the EU. Under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”).
GDPR changes the privacy law by expanding data privacy rights for EU individuals, data breach notification and added security requirements for organizations, as well as customer profiling and monitoring requirements. GDPR also includes Binding Corporate Rules for organizations to legalize transfers of personal data outside the EU.
While these new rules can seem daunting, if your organization starts by organizing stakeholders and working with colleagues – including leveraging committees of privacy and security professionals like the HIMSS Cybersecurity Committee – to create a plan of action, you can tackle this new world.