The GDPR is coming. Are you ready?
Posted by Stephan Dona
What is the GDPR and why does it matter
The General Data Protection Regulation (GDPR) is a new EU-level legal framework for the management and enforcement of a wide range of privacy and data protection mandates.
After taking effect in May of 2018, the GDPR will, for the first time, provide a unified set of directly applicable legal parameters and requirements across the entire European Union. What's more, the GDPR represents the world's most extensive trans-national privacy and data protection regime, as all entities which process personal data in the context of doing business with any player or citizen in the European Union are subject to its requirements, whether or not those entities are based in the EU themselves. In essence, the GDPR is a genuinely global law.
Preparing to comply with the GDPR is an extensive undertaking, requiring numerous efforts at every level of operations. Here are just a few of the most important topic-areas to take note of.
Data Controllers and Processors
Under the GDPR, all data-handling organizations are classified as a controller or a processor, and although the main bulk of responsibilities still lies with the controller, in certain cases the processor is held also responsible for complying with specific legal obligations.
For example, the processor needs to implement technical and organizational measures to ensure an appropriate level of security, ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, etc. – Article 32(1); the processor is obligated to notify the controller without undue delay after becoming aware of a personal data breach – Article 33(2). The distinction between a controller and a processor is first and foremost legal, not logistical or procedural. Controllers may not be directly involved in the management or handling of data at all, but merely directing a partnering organization to manage data on its behalf still makes it liable for the use of that data.
The granular specifics will vary for each particular case, but in general, controllers determine how and why the personal data is processed, while processors execute the actual processing of that data under the direction of the controller. However, both must always comply with the relevant GDPR obligations.
The GDPR also mandates the official appointment of a Data Protection Officer (DPO) for any organization whose core activities require "regular and systematic monitoring of data subjects on a large scale, [and/or] processing on a large scale of special categories of data."
Expanded definition for “personal data”
In contrast to the previously ad-hoc and often arbitrary patchwork of legal parameters for what qualified as "personal data" in most countries, the GDPR provides a clear and notably expanded definition of protected data types – Article 4(1).
Now, any personal data is protected if it's related in any way to a data subject's specific physical, physiological, mental, genetic, economic, social or cultural identity.
Privacy by Design and by Default
For the first time, organizations are required to make privacy a core component of their product during the design process and must also work to ensure all future technology is equipped to meet the mandates of the GDPR by default.
The specific shape this "privacy by design and by default" requirement takes will vary across organizations, but it is a vital component to remember as organizations weigh technology and platform options into the future.
Consent: Parameters and Procedures
The rules for obtaining and maintaining proper consent from data subjects are significantly expanded and strengthened, with a wide range of parameters for various circumstances.
In general, the GDPR requires all requests for data consent to be clear and easily understood, and specifies that consent is no longer assumed by default, non-response or silence - it must be given freely, explicitly and proactively by the data subject – Article 4(11).
Mandatory Data Protection Impact Assessments
In general, the GDPR requires an organization to be a proactive protector of personal data, and one of the chief mechanisms for enacting those efforts is the mandatory in certain cases data protection impact assessment (DPIA).
DPIAs are required any time “[w]here a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons” – Article 35(1) of the GDPR. In short, any activity that involves processing personal data from a wide range of actors will probably require a DPIA.
Examples include: a hospital network analyzing its patient records, an organization using public video records to analyze car license plates, and even a sizable company monitoring the internet activity of its own employees.
Unifying Notification Regimes
The GDPR provides a single legal framework for notification of data incidents and requires an organization to notify its local data protection authority within 72 hours of discovering a breach. This means that products must be capable of identifying and confirming a breach quickly and should provide all information necessary to report and begin mitigating that breach within the same timeframe.
New Rights and Liabilities
The GDPR provides for an array of newly codified rights for data subjects and attendant liabilities for data controllers (and processors) in four key areas:
Data subjects have the right to be notified in a timely manner when their data is involved in a breach.
Data subjects have the right to access their own data and to know what information an organization is holding about them. The data controller is required to offer that data in accessible electronic formats, free of charge.
- Right to Be Forgotten
Data subjects have the right to request the erasure of their own data and stop future data collection activities.
- Data Portability
Data subjects have the right for their own data to be available in freely accessed, commonly used standards for data and file formatting.
In each case, organizations must ensure their chosen technology products (software, platforms, etc.) are up to the task of meeting the GDPR's requirements, now and in the future. Unit4 has always treated Privacy and effective Data Protection as a matter of paramount importance. We are preparing our staff, products and processes to comply with the requirements under GDPR, which are coming into effect on May 25, 2018.
Unit4 will certainly comply with the obligations under GDPR as well as with obligations that may be imposed under national legislations. We have prepared a short overview and introduction which highlights the main topics under GDPR and the actions we are taking accordingly.