04.13.2018 | Client Alert
Any organization that offers goods and services to European Union (EU) citizens or collects their personal data will need to comply with the new General Data Protection Regulation (GDPR), which provides specific guidelines on data privacy.
In addition to targeting businesses that obtain data through sales activity, the GDPR applies to businesses that monitor an individual’s behavior in the EU—such as organizations that create a profile or seek to evaluate an individual’s preferences—without engaging in any transaction.
It is clear that the GDPR is casting a wide net—and the deadline for compliance is May 25, 2018.
What is the GDPR’s Goal?
Through the GDPR, the EU is attempting to mitigate an individual’s privacy risk by seeking to protect any information relating to that individual’s private, professional, or public life. This can range from basic information—such as name, mailing address, email address—to more detailed and personal information—such as bank details, social media postings, and medical data, to name a few. The new regulation requires that businesses adopt stricter data protection controls and set up procedures to alert those impacted when there is a data breach.
In attempting to protect the personal data rights of private individuals, the GDPR backs up this effort with large penalties for those violating such rights. Businesses failing to comply with certain requirements and depending on the nature, gravity and duration of the infringement may be subject to fines from 2% up to 4% of their annual global revenue, or €20 million, whichever is greater.
Who is Responsible for Compliance?
The GDPR requires that organizations that process large amounts of sensitive data or systematically monitor data subjects, must name a data protection officer (DPO). The DPO will monitor compliance with the GDPR and advise senior management on data protection issues and concerns, and how they may be addressed. To be effective in GDPR compliance, there needs to be a considerable amount of cooperation, coordination, and communication between the DPO and senior professionals within an organization.
GDPR’s “Bill of Rights”
Under the GDPR, individuals (data subjects) have the right to:
- Be informed about whether their personal data has been processed and for what purpose;
- Ask the data controller to erase their personal data, stop distributing their data, or have third parties stop data processing;
- Correct errors and make changes to inaccurate information;
- Transfer their personal data between service providers more easily; and
- Object to the marketing and processing of their data.
It is also important to note that language in the GDPR states that certain types of data—political opinions, state of health, race, among others—cannot be processed without the explicit consent of the data subject.
Preparing for Compliance
The GDPR standard is fairly large (11 full chapters and 99 articles) but there are certain steps a business can take to demonstrate that it is prepared or seeking to comply with this new standard.
Know Where Data Is Stored: Determine what personal data the business is storing and using. The GDPR requires that organizations prove that they know where personal data is stored. Therefore a verifiable inventory of personal data is necessary, as well as tracking exactly where it is being stored and how it is being used.
Determine Data Validity: Part of the risk analysis and assessment process is identifying, categorizing, and documenting all personal data elements, including name, email address, and any other data the organization has on an individual. Organizations may also have to gauge the varying levels of data quality and validate whether or not proper consent was obtained. Depending on the size of the organization and the complexity and variety of the information they house, this could be a massive undertaking that, most likely, cannot be accomplished manually. As such, this may be the most pressing and time consuming compliance responsibility.
Set up Strict Governance: Develop a written governance model that spells out who in the organization has rights to access the personal data collected and share such information within the business. Ensure that all roles and responsibilities are established clearly in the governance model. This provides the business with a level of control essential to GDPR compliance.
Arrange for Data Protection: The GDPR allows for three techniques to protect data:
- Pseudonymization; and
Applying the appropriate technique based on the user’s rights and the usage context is essential. This gives a business an opportunity to cleanse the data it houses and retain only data that is really needed and valuable for service or product delivery as well as for analysis.
Audit and Monitor: Regulators will want to see reports that clearly show that the business:
- Understands and has a plan in place to comply with the GPDR;
- Maintains controls that protect personal data;
- Limits data access to authorized personnel; and
- Regularly evaluates the effectiveness of its controls.
Prepare for Data Breach: Hope for the best and prepare for the worst. Regulators expect organizations to have a data incident response plan that has been tested and able to be implemented immediately, if a breach was to occur. If breached, organizations should be prepared to uncover what data was impacted, how the breach occurred, and who should be notified, including EU authorities.
As enforcement of the GPDR progresses, the key to staying compliant is to be prepared and consult with a trusted advisor if you have any questions or concerns.
Questions? If you have questions or need advice on your GDPR preparation, contact Alexander Moshinsky at 212.331.7448 | firstname.lastname@example.org.