“My company will only process personal data if it is designed to serve mankind this year.” One might think that sounds like another halfhearted New Year’s Resolution that will lose momentum by February. However, it is one of the many requirements by the Council of the European Union. This is for the new General Data Protection Regulation (GDPR) going into effect on May 25, 2018.
The GDPR will prove to be the most momentous change to the way that companies create, process, and store data. It was designed to provide clear guidelines for all European Union (EU) members and business partners. The EU is a group of 28 countries that operate as a cohesive economic and political block. You might think that if you’re not an EU member that this does not apply to you. But not so fast. For the first time in history, this will apply to everyone that is working with anyone within the European Union. Even companies like Amazon and Google have had to modify their cloud services to accommodate these changes. This will allow for any data protection authority to take action against any organization that does business with EU members. Here are a few things to keep in mind as you make the necessary changes to your data procedures.
Define Personal Data for Me…
One thing to keep in mind is how the definition of personal data will change. The GDPR defines personal data as any information relating to an identified natural person. Notice the emphasis on “any”? The GDPR acts as an umbrella to include all information and not just ethnicity, gender or age.
The information defined as personal includes a natural persons:
- Identification number
- Location data (IP Address)
- An online identifier (email address or social network)
Other factors include:
- Social identity
Data Protection Officer
With the increase in security requirement and regulations comes a need for company appointed Data Protection Officers. These employees will need to inform and advise members of their organization of best practices for staying within compliance. According to one study, at least 28,000 Data Protection Officers will be needed to meet the GDPR requirements. There are requirements for Data Controllers to conduct Privacy Impact Assessments to determine the privacy risks when processing their data. Assessments are done by the Data Protection Officers to ensure the information is safe once organizations give valid consent.
Ensuring Protection of Personal Information
Many people are familiar with recent data breaches that have resulted in millions of individuals’ information being compromised. These breaches are troublesome, to say the least. Those being affected are finding out about this long after the incident takes place. In contrast, this will require organizations to report data breaches to local data protection authority within 72 hours of discovering. A data breach results in up to 4% of the company’s global annual turnover of the previous fiscal year. If you were not taking data seriously before, these penalties would ensure you do in the future.
Data with an Expiration Date
A company must use the data contained for its original purpose. It cannot use it for something else. The data collected must always maintain a purpose, and has to be deleted at the request of the data subject. No exceptions. The GDPR will ensure companies use it correctly or dispose of it immediately.
As you prepare for 2018, don’t forget to consider how the General Data Protection Regulation (GDPR) may affect your company. While you can let go of your New Year goals, the GDPR is one that you will have to keep.