Are You Ready for the GDPR?
How to Prepare for the EU’s General Data Protection Regulation
In a recent episode of Data Talks, I learned that there are still American companies unaware of the GDPR, an EU law that could cost them up to 4% of their annual global turnover or €20 Million if they fail to comply. “We took a poll recently at a conference that I was at,” explained BI industry analyst John Myers, “and most of the people in the room in the United States 1) had never heard of GDPR, 2) didn’t think a European law applied to them, and 3) had no plans to meet its deadline next spring.”
In an effort to spread the word and help other members of our business community prepare, we have put together the following FAQs and informational resources. The EU regards its citizens’ ability to control their personal data a fundamental right, so read on to learn what that means for you and your organization.
Does this law affect my company?
According to eugdpr.org, the GDPR “applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.”
The law’s language distinguishes between “data controllers” and “data processors,” imposing different obligations on each group. A data controller is defined as any entity which, “alone or jointly with others, determines the purposes and means of the processing of personal data.” A data processor, then, is any entity which “processes personal data on behalf of the controller.”
So, in other words, if you collect EU email addresses for newsletter subscriptions through your website, this law applies to you. If you market to EU citizens, it applies to you. If you transact with EU consumers, it applies to you. If you make data processing software or hardware that might be applied EU data, this applies to you.
What are the EU countries again?
Here they are, all 28 of them. And yes, the United Kingdom will still be a member when the law goes into effect on May 25th, 2018.
How long before the GDPR goes into effect?
The Data Protection Authorities (DPA) of the European Commission will begin enforcing the GDPR on May 25th, 2018.
What happens if I don’t comply?
You can be fined up to 4% of their annual global turnover or €20 Million, whichever is greater.
What are my obligations as a data controller?
Disclaimer: this is not legal advice. The best way to ensure that your responsibilities to the GDPR are met is to seek legal counsel. Nevertheless, you will find information pertaining to data controller obligations in Chapter 4 of the GDPR, which requires data controllers to implement “data protection by design and by default.” This means taking “appropriate technical and organizational measures...to implement data-protection principles,” which includes collecting only the data necessary for processing and, by default, not making that data available to an “indefinite” number of people.
What are my obligations as a data processor?
See disclaimer above and Chapter 4 of the law. Data processors must acquire “explicit and unambiguous” consent to process subjects’ data. “Companies will no longer be able to utilize long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent - meaning it must be unambiguous.” Pre-checked consent boxes are also forbidden, as data subjects must expressly opt in to give permission, rather than be required to opt out.
If a data breach occurs, data processors have 72 hours in which to notify the affected persons.
Do EU citizens (“data subjects”) have new powers I should be aware of?
Yes indeed. See the eugdpr.org’s Key Changes article for more detail, or read on for an overview:
Right to Access: Data subjects have the right to “obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose.” They also have a right to an electronic copy of that data.
Right to be Forgotten: Data subjects can request that a data controller erase his/her personal data and discontinue its dissemination. They can also withdraw consent to processing.
Data Portability: Data subjects have the right to move their data from one data controller to another.
How do I demonstrate that my organization is GDPR compliant?
The law suggests that organizations appoint a data protection officer responsible for monitoring and managing the company’s data security as it applies to the GDPR (see Ch. 4, Art. 39). In general, it is important to keep records of all processing of personal information and to implement safeguards for cross-border data transfers. SaaS providers: note that demonstrating compliance also means verifying that third-party vendors of your product are compliant. In some cases, it may also be necessary to perform data protection impact assessments. When in doubt, contact regulators before engaging in certain processing activities.
When you say “keep records of all processing of personal information,” what do you mean?
To perform an audit on data you hold, document everything concerning the data’s circumstances, including: what data you hold, where it came from, when you obtained it, how often you update it, where it is stored, how it is stored, how it is transferred from one place to another, who has access to it when, and what its retention policy is.
Where can I go for more information?
- The EU GDPR site is a great place to start and the source of most of the above information.
- Here’s the original law, and here’s a user-friendly version.
- The Data Protection Authorities are responsible for enforcing the GDPR and can help answer your questions.
- The Information Commissioner’s Office in the UK put together this nice 12-step guide to GDPR prep.
- Microsoft put together a GDPR readiness assessment test that your organization might find useful.
- The International Association of Privacy Professionals (IAPP) has lots of great resources on the GDPR, but you need to be a member to access it.
We hope you’ll help spread the word and wish you luck in your preparation!