On May 25th 2018, the EU’s forthcoming General Data Protection Regulation (GDPR) will take effect and the regulation will have significant consequences for many IT departments in Denmark and across Europe. Overall, GDPR’s aim is to protect EU citizens’ privacy rights and to change the way in which companies and organizations handle personal data. The new regulation replaces the current legislation, dating back to 1995 – a long time before Social Media, Google, cloud computing and other technological developments were born. These technologies provide new possibilities for collecting, processing and using personal data for business purposes. This is why GDPR has become necessary, so consumers and employees privacy rights are protected.
Following is an overview of fivemain GDPR areas that companies and organizations in particular should be aware of in order to avoid huge fines.
The right to be forgotten
The right to be forgotten will be implemented in GDPR. This means that individuals have in some situations the right to have their personal data erased. This is for example the case if the personal data is no longer necessary for the purpose it originally was collected for. Another example is; if a company is processing personal data for direct marketing purposes and the individual objects to that processing, then the company must delete the personal data. These are just two examples, but there are several others where personal data can be ordered deleted.
Designate a Data Protection Officer (DPO)
Processing of personal data must be the core activity of the company. Which is why in the new regulation, it will be a requirement for companies to designate a Data Protection Officer (DPO) – both in the private and public sector. The Data Protection Officer’s responsibility is to oversee and implement a data protection strategy to ensure GDPR compliance. It is important to empathize that the DPO is not a general requirement for all companies, but it is important to investigate if it is necessary for yours. The regulation states that any company processing large amounts of personal data or sensitive information must establish a DPO role.
Notification duty within 72 hours
GDPR has introduceda notification obligation, which means that if a personal data breach has happened, the company has up to 72 hours to report the breach to the national data protection authorities. The report must inform about the approximate number of impacted data objects, likely consequences and what measures have been taken to minimize the risk and impact of the breach. In many cases this is a lot of information to gather in 72 hours; howevera well-planned process for the situation would be recommended. Or better yet, build a good operational procedure so you detect the potential breach before it happens.
Privacy by Design & Privacy by Default
Companies must ensure that the privacy protection rules are adhered to, as well as being able to document that this is done through internal procedures and privacy policies; this is called Privacy by Design and Privacy by Default. Privacy by Design implies that companies must protect personal information by incorporating business processes and infrastructures into technology design specifications. This means that personal data protection must be built into new systems and processes’ architecture. Privacy by default means that when a system or service includes choices for the individual on how much personal data he/she shares with the company, the default settings should be the most privacy friendly ones.
Data Protection Impact Assessment
A data protection impact assessment is a process to help you identify and minimize the data protection and privacy risks of a project. An impact assessment must be performed each time new data processing technologies are introduced or when processes are changed. With the assessment, potential problems are identified at an early stage and it will often be less costly to implement changes earlier compared to later in the development phase or when the product or service is close to being introduced to the market.
It is important to note that the GDPR regulation is a complex set of rules and the above is just a selection of areas in GDPR that companies need to be aware of. This is why it is inevitable for most companies that collect personal data to consider to which extend GDPR will affect their business in order to avoid huge financial sanctions. The fine for not having a data processing agreement or failure to act in accordance with GDPR rules is a maximum of 10 million euros or 2% of the global revenue – depending on what is the most expensive. If personal data is passed on to data processors outside the EU, fines may amount up to 20 million euros or 4% of the global revenue. Which means that it is a good idea to have a detailed roadmap, strategy and contracts regarding data processing ready by May 25th, 2018.