GDPR will replace national data protection laws of all 28 EU member states in May 2018 and has international reach – applying to any organization that processes data of EU data subjects. Finds for non-compliance will increase substantially up to a maximum fine of € 20 million or 4% of global annual sales, whichever is higher. GDPR will fundamentally change the way organizations must manage personal data.
What is the impact of GPRR in your business?
Personal data – Article 4 (1) of the GDPR says that “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’)”. It adds that: an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. That means Personal data include genetic, medical, economic, cultural or social data. Organizations are obligated to identify which data held by them is qualifies as personal, how is physically stored and the state i.e. is it encrypted or anonymized.
Personal data movement across borders – Article 1(116) of the GDPR points “ When personal data moves across borders outside the Union it may put at increased risk the ability of natural persons to exercise data protection rights in particular to protect themselves from the unlawful“ e. organizations should be aware of and take steps to mitigate the risk of transferring data to countries that are not part of the EU, or storing data on cloud platforms hosted in non-EU countries.
Data protection officer – Organizations` with more than 250 employees, or, if they process over 5,000 personal data records in any given year appointment of a data protection officer will be mandatory. Definition of role is made at Article 37 of the GDPR.
Data protection impact assessment (DPIA)– Article 35 of the GDPR says that data controllers must carry out data protection impact assessments (DPIAs) to “evaluate, in particular, the origin, nature, particularity and severity” of the “risk to the rights and freedoms of natural persons” before processing personally identifiable information. That means that privacy impact report seeks to identify and record the essential components of any proposed system containing significant amounts of personal information and to establish how the privacy risks associated with that system can be managed.
Consent –The definition of consent at Article 4 (11) of the GDPR says that “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” That means all consent forms should be available and easily accessible, and the document should be laid out in simple terms.
Privacy by design – Article 1(4) of the GDPR says that„The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.“ That means essence of privacy by design is that privacy in a service or product is taken into account not only at the point of delivery, but from the inception of the product concept. This means that every new IT project should be taking GDPR into consideration now to avoid costly rework.
Data breach notification –Article 1(85) of the GDPR says that “as soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the controller is able to demonstrate, in accordance with the accountability principle, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.“ The introduction of data breach notification regulations and changes in liability will have a profound impact on the supply chain, i.e. processors will be required to inform controllers immediately (or without undue delay) after a data breach. These changes place a greater emphasis on supply chain data security and regular supply chain reviews, and audits will be required to ensure they are fit for purpose under the new regulation. Another impact of this new regulation is that contracts being negotiated with suppliers will need to be future-proofed for the Regulation.
Right to Data portability – Article 20 of the GDPR describing the ability to transfer personal data from one service provider, such as a supermarket loyalty card or social network, to another, via a copy of personal data in a format usable by the data subject and electronically transmissible to another processing system. This is intended to not only increase consumer data protection rights but also enhance competition among service providers.
The right to be forgotten – Article 1(66) of the GDPR points, for example that data subjects to request the removal, without delay, of personal data collected or shared by service providers.
You can do some self assessment for your organization GDPR readiness.
Please answer to following questions:
- Do your organization collect personal data?
- Do you store personal data outside EU?
- Have you established organizational and infrastructural procedures to prevent uncontrolled gathering, unauthorized access and recovery of personal data?
- How you classify your data?
- Do you have sensitive personal data?
- Do you have an established process for addressing personal requests and produce a copy of them?
- Do you have a team responsible for privacy in your organizationБ
- What is your infrastructure build to store, monitor and protect your data?
Our Approach
We perform a Legal Readiness Assessments in accordance with GDPR and Cibersecurity Audit based on Intersections Security analyses to develop full understanding of GDPR readiness.
Reporting:
- Executive Summary
- Gap Analysis
- Detailed Roadmap
- Targeted Action Plan
- Customized Presentation