GDPR stands for General Data Protection Regulation (Polish version is RODO – Rozporządzenie Ogólne o Ochronie Danych Osobowych). It’s a set of rules created to protect the privacy of citizens of the European Union.
The regulation will replace current data protection laws in the EU starting from May 25th, 2018.
It will affect all the companies that collect and use the data of individuals in any way. Starting from giant corporations and ending with small family businesses like Internet shops or beauty salons.
Why change the rules?
It’s mostly about trust, or rather lack thereof, in the current rules of data protection. Only 15% of people think that they have complete control over the data they provide online.
All organisations processing data of EU residents will use the same set of rules, so it will be a lot easier and cheaper. According to the European Commission, the cost of informing 28 different Data Protection Authorities for business in the EU under the old system would cost €130 million, and the estimated economic benefits of having one law are estimated at €2.3 billion.
Definition of Personal Data
Personal data will mean any information that can identify an individual person. The list is long, starting with a name, an ID number, images or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a person.
GDPR goes further and introduces new types of identifiers. They include:
- localisation data
- online identifiers e.g. IP addresses, cookies or mobile device IDs
“In the U.S., we don’t generally consider an IP address to be personally identifying information (…) They generally do in the EU. Whether a U.S. business intended to or not, [if it collected the IP address of an EU resident] … that triggers EU law” says Linda V. Priebe a current partner at Culhane Meadows and the former deputy legal counsel at the Office of Drug Policy at the White House under Presidents Bill Clinton, George W. Bush, and Barack Obama.
What does it mean for individuals?
The new law will give individuals more control over their data by bringing an additional and more clearly defined set of rights to:
- have incorrect or incomplete data changed
- receive information about how their data is processed by an organisation
- receive their data from one organisation and have it transferred to another (data portability)
- oppose to their data usage by an organisation in certain circumstances
- receive copies of their personal data in the possession of an organisation
- have their data removed by an organisation in the case where it has no legitimate reason to store it (the right to be forgotten)
What does it mean for organisations?
GDPR requires organisations and businesses to:
- provide information about data collection and its purpose for individuals – an important aspect of this point is that it has to be presented in easy-to-understand, plain language
- collect the amount of data that is necessary for the purpose for which it will be used
- make sure data is stored safely and properly secured
- store data for as long as necessary and not longer
- share a copy of an individual’s data on demand
- report any breach to the supervisory authority within 72 hours
- appoint a DPO (Data Protection Officer) – NOT obligatory in all cases
“If you aren’t in the implementation phase now, there needs to be a good reason, like you are not in Europe, you are a very small business that just got started, or have very little European data,” said Chris Babel – TrustArc CEO.
Organisation’s checklist
This checklist from the U.K. Information Commissioner’s Office highlights steps you can take to begin preparing for the GDPR now.
- Becoming Aware
Image courtesy: http://gdprandyou.ie
Analyse and improve your organisation’s procedures. It’s better to identify your organisation’s internal problems now.
2. Becoming Accountable
Image courtesy: http://gdprandyou.ie
Inspect all personal data your organisation possesses. Ask yourself a few questions. Why? For how long? Is it really necessary? Do you protect it properly?
3. Communicating with Staff and Service Users
Image courtesy: http://gdprandyou.ie
Make sure you keep your users fully informed about their data collection and the purpose of data usage, and check all your data privacy notices.
4. Personal Privacy Right
Image courtesy: http://gdprandyou.ie
Check if your systems and staff are prepared to cover all the rights to which individuals will be entitled, e.g. data deletion and portability
5. How will Access Requests change?
Image courtesy: http://gdprandyou.ie
Organisations should make sure that they will be able to reply to a request within a one-month timeframe.
6. What do we mean when we talk about a ‘Legal Basis’?
Image courtesy: http://gdprandyou.ie
You should identify the lawful basis for collecting and processing data. Do you meet the standards of the GDPR?
7. Using customer consent as grounds for processing data
Image courtesy: http://gdprandyou.ie
Review how you ask for, collect and manage consent from individuals. If it doesn’t meet the requirements of the GDPR, you will need to make the required changes.
8. Processing children’s data
Image courtesy: http://gdprandyou.ie
Are your systems ready to verify the individual’s age and collect parental or guardian consent?
9. Reporting data breaches
Image courtesy: http://gdprandyou.ie
Are you ready for mandatory breach reporting? Make sure you have the procedures in place to detect, report and investigate a data breach. You will have no more than 72 hours to report a breach after becoming aware of it. The individual must also be notified if it is likely to result in a risk to their rights and freedom.
10. Data Protection Officers (DPO)
Image courtesy: http://gdprandyou.ie
First, check if you will be required to designate a DPO. Make sure that it’s someone who has the knowledge, support and authority to do the job effectively. He/She can either be a contractor, new hire or an organisation’s employee.
11. International processing
Image courtesy: http://gdprandyou.ie
If your organisation operates in more than one EU member state, you should identify only one supervisory authority where your main activities take place.
Huge fines for violating new law
For the most serious violations, the Data Protection Commissioner will be able to fine an organisation up to €20 million or 4% of total global turnover. Other measures that the Data Protection Authority will be able to take are warnings, reprimands and suspension of data processing.
The GDPR will also allow individuals to seek compensation in courts for their data privacy breaches, even in situations when there was no economic loss.
List of European Union Data Protection Authorities
- Ireland www.dataprotection.ie
- European Data Protection Supervisor (regulates EU institutions) www.edps.europa.eu/EDPSweb
- Austria www.dsb.gv.at
- Belgium www.privacycommission.be
- Bulgaria www.cpdp.bg
- Croatia www.azop.hr
- Cyprus www.dataprotection.gov.cy
- Czech Republic www.uoou.cz
- Denmark www.datatilsynet.dk
- Estonia www.aki.ee
- Finland www.tietosuoja.fi
- France www.cnil.fr
- Germany www.bfdi.bund.de
- List of regional data protection authorities in Germany https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html
- Greece www.dpa.gr
- Hungary www.naih.hu
- Italy www.garanteprivacy.it
- Latvia www.dvi.gov.lv
- Lithuania www.ada.lt
- Luxembourg www.cnpd.lu
- Malta www.dataprotection.gov.mt
- Netherlands www.autoriteitpersoonsgegevens.nl/nl
- Poland www.giodo.gov.pl
- Portugal www.cnpd.pt
- Romania www.dataprotection.ro
- Slovakia www.dataprotection.gov.sk
- Slovenia www.ip-rs.si
- Spain www.agpd.es
- Sweden www.datainspektionen.se
- United Kingdom www.ico.org.uk
Does it influence anybody outside of the EU?
Yes, but you may ask, why? It’s a law made by the EU for the EU, right? Actually no. The impact of these regulations isn’t just limited to Europe. It also affects organizations worldwide if they process the personal data of EU residents.
So, another question may arise. How does the EU fine, for example, a US company based on a EU law that has no equivalent on the other side of the ocean? The authorities of EU member states rely on international law.
Preparing for GDPR – costs
According to the GDPR research conducted by TrustArc, costs are an important part of GDPR.
42 percent of respondents expect to spend between $100,000 and $500,000, 23 percent between $500,000 and $1 million, and 17 percent more than $1 million. The largest companies that took part in the survey expect to spend between $28 and $48 million. The costs are much lower for most companies all over the world that have to prepare for GDPR, but it will require taking some additional effort in any case.
Organisations’ awareness about GDPR
In mid 2017, many companies were still unprepared for GDPR and risk big fines.
The data below comes from an article written by Peter Tsai – Senior Technology Analyst at Spiceworks.
Conclusion
This seems to be a change in a good direction, since the technology is changing so quickly, and there is more and more sensitive data used and exchanged between organisations that we have to protect.
The other side of the story may be less optimistic. I’m afraid that we will be “attacked” by much more information and required consents on Internet websites, during calls with banks, telecommunication companies, etc.
Have you ever been frustrated by information about cookies all over the Internet or the notification that your phone call is being recorded? Prepare for even more of that.