What is GDPR?
The General Data Protection Regulation (GDPR) has been introduced to strengthen and unify data protection for all individuals within the European Union, for which it also addresses the export of all personal data outside the EU.
The final text of GDPR was agreed in December 2015 after four years of political negotiations and lobbying.
The regulation was adopted on 27th of April, 2016 and it will replace the data protection directive (Directive 95/46/EC) from 1995.
When does it take effect?
After a 2 year transition period, it takes effect on on 25th of May, 2018. As it is an EU regulation and not a directive, it does not require any legislation of national governments and is directly applicable.
How does it affect me?
The GDPR affects every entity that stores or uses European personal data both in and outside of Europe.
Personal data encompasses personally identifiable information defined in the existing Data Protection Directive (DPD) such as identification numbers and data specific to the individual’s identity. In addition, to reflect the changes of the data types collected by businesses and organizations, online identifiers such as IP addresses now qualify as personal data.
According to the regulation, organizations have to appoint a Data Protection Officer (under certain circumstances, see below), train all staff, and establish and audit policies both for employees and vendors. As for the users, organizations have to obtain consent for collecting and processing their data along a given purpose, and define data retention and deletion processes.
Most importantly however, organizations will be obliged to notify both the authorities and the affected individuals of data breaches; this potential loss of reputation is the most powerful incentive for companies to deal with security, as introduced by GDPR – no one wants to get into the news.
GDPR will enforce the following basic rights for the benefit of individuals:
- The right to access personal data stored or processed by the organization
- Right to be forgotten once they cease to be a customer, or if they withdraw consent from an organization to use their personal data
- The right to data portability, i.e. to transfer personal data from one service provider to another
- The right to be informed about the personal data being gathered, with a choice to opt in or out
- The right to correct the data if it is out of date, incomplete or incorrect
- The right to restrict processing, allowing the data to be recorded, but excluding it from any processing by the system
- The right to object, excluding personal data from being used for direct marketing
- The right to be notified within 72 hours upon the company realizing a data breach that compromised personal data
What are the penalties if an incident happens?
Organizations in breach of GDPR can be fined in a tiered system. Depending on severity, the fines can reach up to €20 million or 4% of annual global turnover – whichever is greater.
How is personal data defined?
Anything that has already been defined as personal data under the existing Data Protection Directive (DPD). In addition, to reflect the changes of the data types collected by businesses and organizations, online identifiers such as IP addresses now qualify as personal data. Other data – like economic, cultural or mental health information – are also considered personally identifiable information, and so personal data. The list continues with name, ID number, date and place of birth, religion, race, address, image, fingerprint, email, biometrics, height, weight, email, cookie ID-s, login IP, behavioral patterns, etc.
Do I need to hire a Data Protection Officer?
The Data Protection Officer (DPO) is a leadership role required by GDPR, and is responsible for overseeing the data protection strategy, implementation and maintenance to ensure compliance with the regulation. There are 3 main scenarios where the appointment of a DPO by a data controller or processor is mandatory:
- Processing is carried out by a public authority, or core activities of controller or processor consist of processing operations which either:
- require regular and systematic processing of data subjects on a large scale, or
- process sensitive data on a large scale
Small businesses still need to employ someone in this role if handling personal data is at the core of their operations. This may not have to be a full time employee, but could be an ad-hoc consultant or someone in the company that is an expert in this area to be appointed to act as one.
In today’s connected world with high-profile data breaches dominating the news, legislation such as GDPR should not come as a surprise. Putting the regulatory talk aside, a good data protection policy is more important than ever – not only will it act as a safety net in case of a data breach, but it will also engender trust among users.
That said: the best way to mitigate the effects of data breaches is to design and implement your systems with security in mind. SCADEMY offers a large number of software security courses – sign up now to make sure your company is not going to be the one on the front page!