From 25 May 2018, the EU General Data Protection Regulation (GDPR) will affect every organization that processes EU residents’ personally identifiable information (PII). The IT Governance Portal published an Infographic and really useful information for all that deal with personal customer data. We summarized it below, and we are available to help you ensure full compliance regarding the client onboarding process. Time flies, so it’s better to act now.
We also invite you to read our blog article “Customer data protection: how to eliminate risks of loss or exposure” to know more about data security breaches, best practices for customer data protection as a corporate-wide approach, and guidelines to truly ensure customer data protection and compliance.
About the GDPR
First proposed in January 2012 by the European Commission and formally approved by the European Parliament in April 2016, the GDPR will supersede national laws, unifying data protection and easing the flow of personal data across the 28 EU member states. When the GDPR comes into force on 25 May 2018, all organizations that process the personally identifiable information of EU residents will be required to abide by a number of provisions or face significant penalties.
The new EU General Data Protection Regulation introduces a number of key changes for organizations:
- If your business is not in the EU, you will still have to comply with the Regulation – Non-EU organizations that do business in the EU with EU data subjects’ personal data should prepare to comply with the Regulation. Those providing products or services to EU customers or processing their data may have to face the long arm of the law if an incident is reported.
- The definition of personal data is broader, bringing more data into the regulated perimeter – Data privacy encompasses other factors that could be used to identify an individual, such as their genetic, mental, economic, cultural or social identity. Companies should take measures to reduce the amount of personally identifiable information they store and ensure that they do not store any information for longer than necessary.
- Consent will be necessary to process children’s data – Parental consent will be required for the processing of personal data of children under age 16. EU Member States may lower the age requiring parental consent to 13.
- Changes to the rules for obtaining valid consent – The consent document should be laid out in simple terms. Silence or inactivity does not constitute consent; clear and affirmative consent to the processing of private data must be provided.
- The appointment of a data protection officer (DPO) will be mandatory for certain companies – Article 37 of the GDPR states that data protection officers must be appointed for all public authorities. In addition, a DPO will be required where the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data”. Firms whose core business activities are not data processing are exempt from this obligation. The GDPR does not specify credentials necessary for data protection officers, but does require that they have “expert knowledge of data protection law and practices.”
- The introduction of mandatory privacy risk impact assessments – A risk-based approach must be adopted before undertaking higher-risk data processing activities. Data controllers will be required to conduct privacy impact assessments where privacy breach risks are high to analyze and minimize the risks to their data subjects.
- New data breach notification requirements – Data controllers will be required to report data breaches to their data protection authority unless it is unlikely to represent a risk to the rights and freedoms of the data subjects in question. The notice must be made within 72 hours of data controllers becoming aware of it unless there are exceptional circumstances, which will have to be justified. Where the risk to individuals is high, then the data subjects must be notified, although a specific timescale is not specified by the Regulation. Regular supply chain reviews and audits will be required to ensure they are fit for purpose under the new security regime.
- The right to be forgotten – Data subjects have the “right to be forgotten”. The Regulation provides clear guidelines about the circumstances under which the right can be exercised.
- The international transfer of data – Since the Regulation is also applicable to processors, organizations should be aware of the risk of transferring data to countries that are not part of the EU. Non-EU controllers may need to appoint representatives in the EU.
- Data processor responsibilities – Data processors will have direct legal obligations and responsibilities, which means that processors can be held liable for data breaches. Contractual arrangements will need to be updated, and stipulating responsibilities and liabilities between the controller and processor will be an imperative requirement in future agreements. Parties will need to document their data responsibilities even more clearly, and the increased risk levels may impact service costs.
- Data portability – Data portability will allow a user to request a copy of personal data in a format usable by them and electronically transmissible to another processing system.
- Privacy by design – The GDPR contains requirements that systems and processes must consider compliance with the principles of data protection. The essence of privacy by design is that privacy in a service or product is taken into account not only at the point of delivery but from the inception of the product concept. There is also a requirement that controllers should only collect data necessary to fulfill specific purposes, discarding it when it is no longer required, to protect data subject rights.
- One-stop shop – A new one-stop shop for businesses means that firms will only have to deal with a single supervisory authority, not one for each of the EU’s 28 member states, making it simpler and cheaper for companies to do business in the EU. This will also have a positive impact on Internet service providers with offices in several EU countries.
What does the new EU General Data Protection Regulation mean for your organization?
Here is the IT Governance infographic that gives you a quick overview of everything you need to know to ensure compliance with the new EU General Data Protection Regulation:
– Check your company’s data protection policy and compliance with the new EU General Data Protection Regulation.
– Count on us for your document management projects and keep your company’s and your customer’s information assets secure, protected and compliant.
– Read our blog article “Customer data protection: how to eliminate risks of loss or exposure” to know more about data security breaches, best practices for customer data protection as a corporate-wide approach, and guidelines to really ensure customer data protection and compliance.
– Subscribe to our blog to receive valuable insights about document management and paper-free processes.
– Download the Free Industry Watch Report by AIIM and Papersoft “Paper-free progress: measuring outcomes” and see how paper-free is improving productivity, accessibility and compliance, the progress you’ve made and how your organization compares to others.