“This year, my company will only process personal data if it is designed to serve mankind.” One might think that sounds like another halfhearted New Year’s Resolution that will lose momentum by February. However, it is one of the many requirements by the Council of the European Union for the new General Data Protection Regulation (GDPR) going into effect on May 25, 2018.
The GDPR will prove to be the most far-reaching and momentous change to the way that companies create, process, and store their data. It was designed to provide clear guidelines for all European Union (EU) members and their business partners. The EU is a group of 28 countries that operate as a cohesive economic and political block. You might think that if you’re not an EU member that the GDPR is not your problem, but not so fast. For the first time in history, the GDPR will apply to everyone that is working with anyone within the European Union. Even companies like Amazon and Google have had to modify their cloud services to accommodate these changes. Furthermore, the GDPR allows for any data protection authority to take action against any organization that does business with European Union members. Here are a few things to keep in mind as you make the necessary changes to your data procedures.
Define Personal Data for Me…
One thing to keep in mind is how the definition of personal data will change. The GDPR defines personal data as any information relating to an identified natural person. Notice the emphasis on “any”? The GDPR acts as an umbrella to include all information and not just ethnicity, gender or age.
The information defined as personal includes a natural persons:
- Identification number
- Location data (IP Address)
- An online identifier (email address or social network)
Other factors include:
- Social identity
Data Protection Officer
With the increase in security requirement and regulations comes a need for company appointed Data Protection Officers. These employees will need to inform and advise members of their organization of best practices for staying within compliance of the GDPR. According to one study, at least 28,000 Data Protection Officers will be needed to meet the GDPR requirements. Furthermore, there will be requirements for Data Controllers to conduct Privacy Impact Assessments (PIA) to determine the privacy risks when processing their data. Once the organization has received valid consent, assessments need to be done by the Data Protection Officers to ensure the safety of the information.
Ensuring Protection of Personal Information
Many people are familiar with recent data breaches that have resulted in millions of individuals’ information being compromised. These breaches are troublesome, to say the least. Those being affected are finding out about this long after the incident takes place. In contrast, the GDPR will require organizations to report data breaches to the local data protection authority within 72 hours of discovering. A data breach can result in up to 20 million or 4% of the company’s global annual turnover of the previous fiscal year. Furthermore, any individual whose data is compromised may seek compensation for any damages they have suffered as a result of the organization’s negligence. If you were not taking data seriously before, these penalties would ensure you do in the future.
Data with an Expiration Date
Data that is obtained by a company must only be used for its original purpose and cannot be used for any other reason. An individual can give consent for their information to be used for one thing, but cannot turn around and use it for something else. The data collected must always maintain a purpose, and has to be deleted at the request of the data subject – no exceptions. The GDPR will ensure companies use it correctly or dispose of it immediately.
As you continue to prepare for the New Year, don’t forget to consider how the GDPR may affect your company. While you can let go of your “New Year New Me” goals, the GDPR is one that you will have to keep.