GDPR was adopted by the European Union (EU) in April 2016 and goes into affect May 25, 2018, after a two-year transition period. It extends the scope of EU data protection laws to all foreign companies processing data of EU residents. GDPR mandates that companies doing business in EU or processing data of EU residents must implement stronger data governance, data security and privacy, data retention, and data sharing controls.
Fines for Non-Compliance
Severe fines of up to 4% of worldwide turnover will be levied for non-compliance with GDPR's data protection regime. The Parliament's version contains increased fines up to 5% of worldwide turnover.
The following sanctions can be imposed:
a warning in writing in cases of first and non-intentional non-compliance
regular periodic data protection audits
a fine up to 10,000,000 EUR or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater for certain infractions (Article 83, Paragraph 4)
a fine up to 20,000,000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater for other infractions (Article 83, Paragraph 5 and 6)
Primary Objectives of GDPR
The primary objectives of the GDPR regulations are to give European Union (EU) citizens back control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. It also addresses export of personal data outside the EU.
EU member states will use GDPR mandates to monitor and regulate how EU and foreign companies manage, govern, secure, and share personal data of EU citizens.
Definition of Personal Data for GDPR
According to the European Commission "personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address."
What Does GDPR Mandate?
Data Protection Officer - A person with expert knowledge of data protection law and practices should assist the controller or processor to monitor internal compliance with this Regulation. The DPO is similar but not the same as a Compliance Officer as they are also expected to be proficient at managing IT processes, data security (including dealing with cyber-attacks) and other critical business continuity issues around the holding and processing of personal and sensitive data. Monitoring of DPOs will be the responsibility of the Regulator rather than the Board of Directors of the organization that employs the DPO.
Consent - Valid consent must be explicit for data collected and purposes data used (Article 7; defined in Article 4). Consent for children must be given by child’s parent or custodian, and verifiable (Article 8). Data controllers must be able to prove "consent" (opt-in) and consent may be withdrawn.
Data Breaches - Under the GDPR, the Data Controller will be under a legal obligation to notify the Supervisory Authority without undue delay. The reporting of a data breach is not subject to any de minimis standard and must be reported to the Supervisory Authority within 72 hours from the data breach (Article 33). Individuals have to be notified if adverse impact is determined (Article 34).
Right to Erasure - A so-called right to be forgotten was replaced by a more limited right to erasure in the version of the GDPR adopted by the European Parliament in March 2014. Article 17 provides that the data subject has the right to request erasure of personal data related to him on any one of a number of grounds including non-compliance with article 6.1 (lawfulness) that includes a case (f) where the legitimate interests of the controller is overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
Data Portability - A person shall be able to transfer their personal data from one electronic processing system into another, without being prevented from doing so by the data controller. In addition, the data must be provided by the controller in a structured and commonly used electronic format. The right to data portability is provided by Article 18 of the GDPR. Legal experts see in the final version of this measure a "new right" created that "reaches beyond the scope of data portability between two controllers as stipulated in Article 18."
Some Important Requirements
The notice requirements remain and are expanded. They must include the retention time for personal data and contact information for data controller and data protection officer has to be provided.
Automated individual decision-making, including profiling (Article 22) is made contestable. Citizens now have the right to question and fight decisions that affect them that have been made on a purely algorithmic basis.
Privacy by Design and by Default (Article 25) require that data protection is designed into the development of business processes for products and services.
Privacy settings must be set at a high level by default.
Data Protection Impact Assessments (Article 35) have to be conducted when specific risks occur to the rights and freedoms of data subjects. Risk assessment and mitigation is required and a prior approval of the Data Protection Authorities (DPA) for high risks. Data Protection Officers (Articles 37–39) are to ensure compliance within organizations.
What Must Companies Do to Comply?
GDPR mandates that companies doing business in EU or processing data of EU residents must implement stronger data governance, data security and privacy, data retention, and data sharing controls. Here are a few steps they can take:
Data Governance - Implement a data governance program (if none exists) or improve an existing program, to ensure that it enables compliance with GDPR mandates with respect to accountability for sensitive data, insure that data privacy is built into business processes, that the data governance organization supports the DPO (e.g., to conduct Data Protection Impact Assessments), and that the relevant data security and privacy standards and policies are defined and enforced.
Data Security and Privacy - Any data that is defined as "personal data" must be tagged appropriately at the source, so that it can be handled with care. Proper privacy controls must be implemented (e.g., data masking or encryption) to prevent unauthorized exposure to sensitive data.
Data Retention - Notices regarding data retention periods must be published and data retention processes related to personal data must be implemented consistently across the company.
The creation and dissemination of personal data is a fact of life it has resulted in a sense of paranoia and helplessness on the part of citizens - since they no control of their personal data anymore. The primary objectives of the GDPR regulations are to give European Union (EU) citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. It also addresses export of personal data outside the EU.
Regardless of the country they operate in, companies that acquire and process "personal data" have a responsibility to handle it with care and implement necessary governance regimes, with the goal of preventing unauthorized access to or sharing of this sensitive data. Protecting "personal data" is good for business as well - it builds trust with customers, which results in higher customer intimacy - a critical business imperative in a highly competitive world.
Note: Some information regarding GDPR regulations has been sourced from Wikipedia.
Go forth and conquer!
The only way to win with data is to become data-driven and data savvy. My books will guide you through this process. Order Data-Driven Leadership: A New Leadership Paradigm in the Digital Age and Data Driven Leaders Always Win: The Essential Guide For Leaders in the Age of Data and share their timely, universal, and powerful message with your personal and professional network.
Or follow him on Twitter: @jayzaidi