Businesses based in the European Union or businesses outside the EU working with EU citizen data are currently marking their calendars for May 25, 2018. That’s when GDPR is coming.
GDPR stands for General Data Protection Regulation and it’s a relatively new business data compliance regulation. It contains a whole range of new rules that companies may need to enact for proper compliance, as there are strict fines for non-compliance. Your business may be fined up to 4% of global annual turnover for your previous financial year or €20 million, depending on the larger amount.
You might think that US-based companies are not affected by these new regulations. But, you’d be wrong. If your company processes any EU citizen data, you need to be GDPR compliant.
In this article we will provide a general GDPR overview including main terms and regulations that you should be aware of.
As with any other regulation or legislation, GDPR brings new terms and definitions which you need to know to be compliant. Let’s look at some new terms, dividing them into two logical groups - participants and definitions.
General Data Protection Regulation defines three groups of participants - two general groups and one new job position.
Controller — “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
In other words, controller is any person or business that is dealing with the data of EU citizens.
Processor — “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
Processor is the second main participant of the GDPR that falls under a new regulation. Processor, basically, is any person or company that process' or stores data for the controller.
For example, you backup your user’s data to Amazon S3. In that case, your company is a controller, and there will be two processors - the company that backups data and the storage itself.
Data Protection Officer (DPO) — is a new job position in the company. DPO will be responsible for:
- Informational support of both controller and processor regarding the regulation
- Monitoring the processes concerning compliance
- Cooperation with supervising authority
Basically, the Data Protection Officer is an in-house data auditor. If you’re running a relatively small pool of clients and managing their data - you may not need a DPO on your team if you are capable of being compliant yourself. However, if you have a lot of clients and employees involved in data management, the chances are a lot higher that you may miss some small, yet important, process which may lead to a data breach and a compliance problem.
There are several new definitions, that will help you understanding the GDPR act much better.
Personal data - “any information relating to an identified or identifiable natural person.”
Personal data is any data connected to a person, such as:
- ID number
- Location data
- Any other data reflecting economic, physical, cultural or social identity of the “subject of personal data”. In other words, of a person related to that data.
Right to be forgotten — each person has “the right to have his or her personal data erased and no longer processed.”
This is the best-known new definition. It means, that by any request of the person whose data you may be storing, you should delete that data and prevent any further processing of the data.
Consent - "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."
Consent is the most debatable term of the GDPR. It is a necessary indication for the legal processing of personal data. However, for marketing information that may be obtained from a number of 3rd party sources, it is particularly difficult to distinguish consent. That should be a good point to add new terms regarding data processing and management in all your contracts and as well as terms of agreement.
The General Data Protection Regulation document consists of 11 chapters and has 99 articles. Because of its length, we won’t describe in detail the whole text. We have only identified the most notable requirements that you should take into account while preparing for compliance.
All personal data under GDPR should be held in the European Union unless the subject of personal data made it clear he/she agrees about the transfer of such data to third countries. This agreement might be added to "Terms and Agreements" of a given service/product.
You should also take into the account the availability of personal data to a data subject. That means you should, upon any request, be ready to inform the data subject about:
- Legal basis for the data processing
- Contact details of the controller and DPO of the data
- Purpose of the data processing
- From where the data originated
- The retention period for which personal data will be stored and the legal right for storing the data
If you are using a wide variety of 3rd party data vendors, it is highly recommended to contact them before compliance enforcement begins.
In the Event of Data Breach
GDPR states the definition of data breach:
“Personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
Data breach may lead to prosecution. That is why, for both controller and processor, data security is of utmost importance.
In case of a data breach, it is controller’s responsibility to notify the supervising authority no later than 72 hours after the breach. After 72 hours, the authorities have a right to prosecute the controller for the delay. Data processor does not need to notify the authority, if the breach has occured on their side, but must notify the controller.
The controller also has to notify all subjects of the personal data about the breach. If, however, personal data was encrypted and cannot be read - controller may not need to notify the data subjects.
GDPR makes it important to overview your business, technical and legal processes, that can affect data collection, management or processing. It is a complex view of data security. The regulation should be taken seriously, as the supervising authority has legal right to prosecute both controller and processor for being noncompliant.
We highly recommend you to: