The EU’s General Data Protection Regulation (GDPR) takes effect on May 25, 2018 in all of the EU’s member states. It imposes stringent compliance requirements on virtually all businesses that collect personal information from individuals in the EU. There are hefty fines for non-compliance.
It’s a regulation, not a directive. That means that it will apply automatically and simultaneously to all member states on May 25, 2018 without the need for ratification. The regulation also applies to organizations based outside the European Union if they collect or process personal data of EU residents. Data can only be processed if there is “lawful basis for processing.”
What is “lawful basis for processing”?
– the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
– processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
– processing is necessary for compliance with a legal obligation to which the controller is subject.
– processing is necessary in order to protect the vital interests of the data subject or of another natural person.
– processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
– processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
What new obligations does the GDPR impose?
Conduct a full risk assessment, implement security measures, be ready to demonstrate compliance, prove full data control and risk mitigation.
Maintain “data control.” That entails minimizing the exposure of users’ identities and only processing data for authorized purposes.
Implement safeguards for data protection, such as encryption.
“Right to be forgotten” requires companies to completely erase user’s data from all repositories when:
– Users revoke their consent
– A partner organization requests data deletion, or
– A service or agreement expires or is terminated.
Appoint a data protection officer (DPO). The appointment of a DPO is mandatory for public authorities, organisations involved in high-risk processing and organisations processing special categories of data. DPO’s duties include advising the organisation of its obligations, monitoring compliance and acting a contact point for authorities.
New breach notification requires reporting security breach to a regulator in EU within 72 hours. Breach must also be reported directly to all affected users.
What are the penalties for non-compliance?
– A written warning in cases of first and non-intentional non-compliance,
– Regular periodic data protection audits,
– Up to €20 million or 4 percent of global annual turnover, whichever is higher.
Is there a number to call?
Yes, the Information Commissioner’s Office has launched a dedicated telephone service aimed at helping small businesses prepare for GDPR. There is also a live chat.