General Data Protection Regulation (GDPR) is the new European Union privacy law, approved in 2016 jointly by European Parliament, the Council of the European Union and the European Commission.
GDPR will replace the existing European Data Protection Directive (which btw, came into the picture in 1995), which will be in effect until May 25, 2018. Post this date, GDPR will supersede and all the laws attached to data protection will be governed by GDPR.
GDPR aims to bring all the EU member states under one umbrella by enforcing a single data protection law. GDPR is intended to put guidelines and regulations on how data is processed, used, stored or exchanged.Should I be concerned about it — Who is it for?
GDPR applies to all the organizations that are registered in EU or have an establishment or subsidiary in EU. It also applies to an organization which sells goods or services to citizens of the EU and process or monitor the personal data of EU residents.
Note: Personal data is any information relating to an identified or identifiable natural person
In simple words, if your business is established in EU or part of your customer base is located in EU, you must comply with GDPR.
The specific criteria for organizations that are required to comply are:
A PwC survey showed that 92 percent of U.S. companies consider GDPR a top data protection priority.Which parties are involved in GDPR?
There are three major stakeholders under these regulations, namely:
Say, if you are a business selling a SaaS product to EU citizens(Data Subjects) and using a third party tool X to analyze consumer behavior on your platform. You are the Data Controller and X is the Data Processor.What’s different than before — what are the key changes?
GDPR harmonizes how personal data is processed, used, stored and exchanged securely across all EU member states.
The organizations coming under the radar of EU will have to demonstrate the security of the data they are processing. They will also have to implement substantial technical and organizational measures to demonstrate their compliance with the GDPR on a continual basis.Security actions required
GDPR has specific instructions for what types of security action may be required:
The GDPR intends to protect the personal data of EU residents and the data which is deemed personal is:
The GDPR authorities will be able to issue fines of up to EUR 20 million or 4% of annual worldwide turnover, whichever is higher if there is a breach of terms listed by the authorities.What are the entitled rights of Data Subjects?Breach Notification
In case of any data breach that is likely to result in unauthorized use and distribution of data, the Data Controllers will have to notify Data Subjects about the breach within 72 hours of becoming aware of the same.
Similarly, Data Processors will have to inform Data Controllers about the breach within the time frame.Right to Access
GDPR brings the right for Data Subjects to get information about how, where and for what purpose their personal data is being processed.Right to be Forgotten
Also known as Data Erasure, the right to be forgotten entitles the Data Subject to have his/her personal data deleted from the logs of Data Controllers. The right to be forgotten also enables them to halt or cease further distribution and use of the data by third parties.Data Portability
GDPR introduces data portability — the right for a Data Subject to receive the personal data concerning them, which they have previously provided in a commonly use and machine-readable format and have the right to transmit that data to another Controller.
This essentially means that if you want to make a switch from one service provider to other, the former service provider should give you the complete data in a machine-readable format which can be used to integrate with the new service provider.Privacy by Design
The privacy by design is formally inducted in GDPR to facilitate effective designing of systems which resonate with the best practices of data protection. The controller shall implement appropriate technical and organizational measures in a design effective way in order to meet the requirements of this right and protect the rights of data subjects.
The controllers should hold and process only the data absolutely necessary for the completion of its duties, as well as limiting the access to personal data to Data Processors.Data Protection Officers (DPO)
A DPO should be appointed to facilitate the smooth functioning of data protection in certain organizations.
These organizations include the Controllers and Processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offenses.Does my business need to appoint a DPO?
DPOs must be appointed in the case of:
If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.How will it affect my cloud data storage practices?
If you plan to use a public, private or hybrid cloud data storage, there are GDPR compliance implications. These implication are listed below:
GDPR is a new reform in age-old privacy and data protection laws for businesses concerning residents of EU, which is a major customer base of a lot of businesses. GDPR intends to bring harmonized regulations across all the EU states.
It can be intimidating to first scan the official GDPR policies and the buzz created in the business community. But this article and other supporting documents on the internet will guide you to tweak your policies and practices to comply with GDPR easily.
I thank Devashish, CEO of Kommunicate for helping me with research and notes on GDPR.
This article was originally posted here.