This regulation is known as the General Data Protection Regulation (GDPR), and is aimed at organizations that process and store information on European Union citizens. It applies to controllers (those who collect citizen’s data) and processors (those who process data for controllers). Personal Identifiable Information (PII), is the new term under the GDPR which applies to any data that could potentially identify a specific individual. The regulation enacts new rules to protect this data, enabling citizens to have better control of their online information. This will allow EU citizens to acquire knowledge of what organizations know about them, and create a transparent curtain between the general public and their information. Ultimately, the data subject’s fundamental rights under this regulation supersede the interests of the processor.
This regulation is aimed primarily at controlling how organizations process and use the data they collect on customers—and how the customers interact with that data. As such there are a number of new restrictions and rules for organizations to follow to ensure compliance with the new regulation. They are as follows:
- Obtain consent when collecting personal information. This means at the exact moment of collection. There are two forms of data which fall under this rule.
- Unambiguous consent specifically relates to the information obtained from non-sensitive locations like social media, business website, or cookies.
- Explicit consent involves sensitive information like medical records, social security number, credit card numbers, etc. This will require an actionable check box to affirm the user is aware the data is being collected.
Additionally, data subjects under the age of 16 will need a legal guardian to provide consent. Member states may process for a lower age, though no lower than 13.
- Inform citizen about collection of data. Citizens now have a right to be informed about any and all data collected about their person. This data can only be held for as long as is necessary, so the subject must be informed about when the data will be used or the criteria for determining how long the data will be stored.
- Allow citizen to access, modify, or remove data. Under the new regulation citizens have the right to object to collection of their personal data. They also have the right to access, change, or transfer the collected data. If they should so choose they can also insist the data is removed and no further information is collected. Finally, citizens can request a copy of any data collected on them at any time, which must be provided in no less than a month.
- Hire a Data Protection Officer (DPO) to ensure the new regulations are being followed. A DPO must be appointed for:
- Public authorities
- Organizations that perform large scale systematic monitoring
- Organizations performing large scale processing of sensitive data
If your organization doesn’t fall into one of these three categories, you don’t need a DPO.
- Provide notice of a breach within 72 hours. The DPA and citizens affected by the breach must be notified without delay.
- Ensure the security and confidentiality of collected data. This means regular assessments of current security protocols for the protection and privacy of citizens’ data.
Fines and Punishments
Failure to follow the new rules entails a few new punishments. The following list encompasses possible punishments, depending on the situation and severity of the offense:
- Written warning
- Data audits
- Restricted data access
- Revocation of organizational certifications
- Maximum fine up to 22M Euros from 4% annual globe turnover
How to Prepare
The effective date of the GDPR is May 25th, 2018. Any organizations in non-compliance with the new regulation will face heavy fines at this time. This applies to any organization within or outside of the EU that processes data on EU citizens. For the moment this includes the UK, but after the UK’s exit from the EU goes into effect March 2019, the UK plans to implement a similar regulation, so it’s best to prepare for the GDPR anyway.
If your organization is already in compliance with the Data Protection Directive, then the GDPR is easy to accommodate.
Step 1: Start by assessing your current data. How is it protected? Do you keep accurate records of where and how all of it was acquired? Could you inform citizens on whom you have data easily and quickly? The goal is to address any existing issues in your current infrastructure for compliance. Since most of the changes within the GDPR will affect the internal functions of your company, it’s best to ensure these processes are properly in order, otherwise the fines could be severe. Once everything’s in order internally, you can proceed to assess external data sources for compliance with GDPR regulations.
Step 2: The second half of preparation is knowing when and where data is acquired. Proper procedure at the time of procurement of data is the second part of meeting GDPR regulations. Do you have systems in place to inform EU citizens you have collected their data? Is that data collection transparent in accordance with the new regulations? Do you have any data sources which are unregulated? Addressing how, when, where, and why you acquire each source of data is the last part of preparation. Any violation when collecting data could result in serious punishment, so it’s best to trace all routes of collection for certainty.
- Identify how data is processed and handled within the business
- Follow data streams for compliance externally
- Mitigate risks and security threats after assessment
- Implement solutions to any problems before GDPR goes into effect
Staying on top of the ever-changing landscape of business is so important as challenges and changes are coming up faster than ever. You can rely on Dependable Solutions, Inc. to keep you up to date on topics and accelerate your licensing business with a great software solution.
Contact us today at 424-213-6663 to schedule a demo or discuss your requirements.