In the past century, we have witnessed globalization interconnect the trade of goods and services around the world. But as we have evolved into a digital society, interconnectivity has become far more complex. The balkanization of data coupled with cross-border flows has created a digital globalization, in the form of data, at an unprecedented rate. Laws surrounding the rights of individuals and their data have not been able to keep pace — in turn, the European Union has created a law to tackle the side effects of the digital globalization: the GDPR. So, what is the GDPR?
What is the GDPR?
The General Data Protection Regulation (GDPR) is a new law that changes the way organizations collect, store, and use personal data of European Union citizens. It gives control of personal data back to EU citizens.
It’s no secret that data privacy laws can be complex and even contradictory, making them hard to enforce. One of the goals in crafting the GDPR is to make things simpler, enabling agile and explicit enforcement. The GDPR elucidates the muddied waters of data privacy laws in Europe, consolidating them into a single enforceable standard.
Before you exonerate yourself from GDPR compliance, note that these laws adhere to any company processing or handling EU citizen data, even if it is located outside of the EU. So, don’t think of the EU as a fortress, but rather a network towards data privacy.
European Parliament adopted the GDPR on April 14th, 2016. However, the law will not be enforced until May 25th, 2018.
Key Takeaways of the GDPR
- Protect Personal Data at Rest or in Transit – Whether at rest or in transit, personal data is required to be protected. The GDPR defines personal data as anything that can be used to identify someone directly or indirectly; This includes identification numbers, location data, online identifiers, physical, physiological, genetic, mental, economic, or cultural/social data of a person.
- Assign a Data Protection Officer (DPO) – Any organization processing or handling personal data will need to assign a Data Protection Officer.
- Data Breach Notification Requirement – If personal data has been breached or compromised, organizations will be required to notify the Data Protection Authority within 72 hours.
- Data Subject Rights – The various rights EU citizens gain or maintain under the GDPR in regards to their data – organizations may have an obligation to fulfill such requests from data subjects.
- Right of Access – Data subjects have the right to obtain electronic records as to how and where their data is being processed.
- The Right of Erasure or The Right to be Forgotten – Data Subjects will have the right to request the erasure of their data, but only under the circumstances that it is no longer needed for its original purpose.
- The Right of Portability – Individuals have the right to obtain and move/transfer data from one environment to another.
- The Right to Consent – Consent must be given by the data subject to the controller in a lawful manner. It must be given in an explicit statement with free choice.
- Fines and Enforcement – Perhaps the most staggering attribute of the GDPR is the hefty fines of noncompliance. Fines will reach €20 million or 4% of annual turnover, whichever is the greater amount.
How to Prepare
- First, conduct a Risk Assessment to get a comprehensive view of where your organization currently stands in relation to GDPR compliance.
- Appoint a Data Protection Officer to drive the vision of your privacy posture and take ownership of communicating and organizing your new strategy.
- Identify and classify your current data. You cannot adapt and govern your data if you don’t know where and what it is.
- Prepare to fulfill the Rights of Data Subjects. Implement a process for handling requests in regards to the right of erasure, data portability, etc.
- Implement privacy into your design and culture. Not only will you need to advance and secure your existing technological systems, but you will also need to create a security-centric culture for team members.
Some questions you should ask yourself while preparing
Will fines and consequences be worse if we don’t monitor our data?
Do I have a proper security team in place?
Where is all my data stored?
How can I secure my IT Infrastructure?
Who has access to my data?
Do we have a system for reporting and proving compliance?
View the GDPR as an Asset, Not an Obstacle
Finding ways to avoid the GDPR will only prove to be time consuming and unproductive. Instead of viewing the GDPR as an obstacle, take the opportunity to streamline your security and privacy posture. In turn, you will restore trust between Data Subject and Controller.