What to Expect When the GDPR Goes into Effect

The General Data Protection Regulation (GDPR) is the European Union’s latest data protection legislation, developed to address issues regarding data privacy. The GDPR gives EU citizens more control over what companies can do with their data, while increasing fines for non-compliance and data breaches. With a May 25, 2018 enforcement date, many companies are scrambling to ensure they are in compliance with the new regulation. The GDPR will have a worldwide impact on any business or organization that uses and collects EU citizen data. Here is what you need to know:

What is GDPR and what is it designed to do?

The GDPR is the new framework for data protection laws that will provide greater protection and rights to EU citizens regarding their data. The regulation will force companies to be more accountable for their handling of individuals’ personal information. Organizations will be required to provide terms and conditions along with requests for consent with regards to data processing in plain and clear language. Additionally, it must be simple and easy for individuals to withdraw their consent.

Who will be impacted?

The GDPR will impact organizations within EU member states, as well as all organizations that process or hold (data controllers or processors) personal information of data subjects residing in the EU, regardless of the organization’s location. Data controllers are defined as those who determine the how and why of personal data collecting, while processors are the parties or organizations that conduct data processing activity. This regulation applies to any organization offering goods or services to EU citizens.

Currently, under the regulation, personal data includes IP addresses. This affects WHOIS Lookups that provide internet users the ability to search internet domains to find the registered domain holder.  ICANN (Internet Corporation for Assigned Names and Numbers) is the entity in charge of overseeing and coordinating IP addresses, and the Domain Name System, which matches domain names with corresponding IP address numbers. This raises concerns regarding the compliance of GDPR and whether or not this information can remain publicly available.

What counts as personal data under GDPR?

Any information related to a natural person, or “data subject,” that can be used to directly or indirectly identify the person. This includes names, dates of birth, email addresses, various social media account handles, and economic, cultural or mental health information as well as online identifiers such as IP addresses.

What rights are provided to individuals?

A number of data subject rights are included in the regulation that provide EU individuals with more control of their data, including:

• Right to Access – when requested, the data controller (organization) is required to inform subjects if their personal information is being processed, where it is being processed, and the purpose of the processing. The data controller will provide a copy of the data for free to the subject.
• Breach Notification – Mandatory alerts are required for member states to all parties affected where a breach is “likely to result in a high risk for the rights and freedoms of individuals.” Alerts must be sent within 72 hours of notification of the breach. Data processors are required to notify customer and data controllers after becoming aware of a data breach, without “undue delay.”
• Right to be Forgotten – Data subjects retain the right to have data controllers erase their personal data, cease further dissemination of their data, and possibly halt processing of their data by third parties. For data to be erased, there must no longer be a relevant purpose for processing or a subject must withdraw consent.
• Data Portability – Data subject has the right to obtain and transmit their personal data to another data controller.
• Privacy by Design – Data protection must be incorporated at the creation of systems. The controller is required to implement appropriate technical and organizational measures to meet requirements to protect the rights of the data subjects. Controllers will only hold and process data that is absolutely necessary to complete duties.

When is the deadline?

What steps can organizations take to comply with the GDPR?

• Assign a Data Protection Officer (DPO) – DPOs are a new requirement under GDPR and are responsible for internal recordkeeping, monitoring compliance, as well as informing and advising the organization on how to maintain compliance.
• Check their current state of data protection rules and policies and update, if necessary.
• Reach out to security consultants, local regulatory bodies, or DPOs for guidance, if necessary.
• Audit the data currently collected, held, and processed within the organization. Determine if this data is necessary for operations and if the organization is in compliance with the GDPR.
• Incorporate the necessary provisions during creation of new systems to address and protect data privacy.
• Have policies and procedures in place in the event of a data breach, including the method of notification.

      THEN…

• Determine what procedures the organization needs to adopt or update.
• Educate all employees and customers about these changes.
• Procure technology that will support data privacy, data deletion, and data portability.

What are the penalties for non-compliance?

Organizations can be fined up to four percent of annual global turnover for breaching GDPR or 20 million Euros. This maximum fine will be applied to the most serious infringements. Fines placed on breaches of GDPR will be determined via a tiered approach.

Please visit the official EU General Data Protection Regulation (GDPR) website for additional details regarding the regulation.