There’s one month until the EU General Data Protection Regulation comes into force on May 25, 2018. So we thought that we would write a quick summary highlighting some of the more important areas of the data privacy and protection law for those in the United States that are just realizing that they need to comply with the law and need an introduction.
This is a high level overview of some of the key sections of the law that companies preparing for GDPR compliance will need to tackle. However, the law is much more complex than the scope of this introductory article, which leaves out many of the exceptions and complexities. Please consult with your attorney or Clarip before relying on this advice in your preparations as some of it may not apply to you (or your situation may require compliance with other measures not identified here).
This article doesn’t cover some of the important initial aspects of a GDPR education, such as the definition of personal data, the difference between a controller or processor, and why people are called data subjects. These are covered on other areas of the Clarip website.
With those important caveats, let’s jump right in to the key areas of GDPR.
Recordkeeping:
Article 30 of the GDPR requires controllers and processors to keep written (or electronic) records of processing activities. This requirement applies to organizations (or enterprises) of 250 or more persons as well as organizations of any size that are engaged in high risk or regular processing. For organizations that are not technically required to comply with Article 30, it is still a best practice to generate records of its data processing and privacy processes. Documentation will both help focus personnel on protecting data privacy within the company as well as help.
Data Protection Officers
Organizations that have regular and systematic monitoring of data subjects on a large scale as a core activity must appoint a data protection officer to serve as a liaison with the supervisory authority, monitor compliance with the regulation, as well as inform and advise the organization about their obligations under the GDPR. The DPO needs to have sufficient expertise, resources and independence to fulfill their duties and tasks. For those organizations that are not required to have a DPO, it is still important to have someone at the corporation that is in charge of data privacy issues and GDPR compliance. The DPO position may be outsourced to an outsourced data protection officer like Clarip.
Data Protection Impact Assessments
DPIAs are required where processing is likely to result in a high risk to the rights and freedoms of EU citizens. The impact assessments include a description of the processing, the purpose, the legal basis, the risks to data subjects right and freedoms, and the safeguard and other measures to ensure the protection of personal data and comply with the GDPR. If it is not possible to mitigate a high risk to the rights of a data subject, then the controller must consult with the supervisory authority prior to processing.
Privacy by Design and Default
Organizations need to implement data protection and privacy principles at the beginning of the process creation as well as at the time of the processing to ensure that data minimisation and other safeguards are in place to ensure GDPR compliance. Additionally, organizations must implement privacy by default so that only necessary data collection and processing happens without the individual’s intervention in the process.
Transparency and GDPR
Organizations must process data in a transparent manner so that data subjects are informed about the usage of their data and their rights. This principle flows throughout the GDPR, from Articles 7 and 13 on informed consent to Article 12 requiring transparency with regard to data subject access rights. Privacy notices must be offered in a clear, concise manner in plain English in order to fulfill this requirement. Burying them in a long privacy policy is no longer acceptable.
Informed Consent or another Basis for Processing
Article 6 of the GDPR provides for six lawful basis of processing by controllers. Many organizations will rely on one of three: informed consent of the data subject, the necessity of the processing for the performance of a contract, or a legitimate interest of the organization that poses minimal risk to the rights or freedoms of a data subject. For any business that is interested in engaging in processing, it is important to establish the basis for each act of data collection, usage and sharing.
Third Party Processing
Article 28 of the GDPR is one of the key sections for processors and controllers that use processors. If an organization is passing data to a third-party for processing on its behalf, then the organization will need to conduct appropriate due diligence on its third-party vendors to ensure compliance with the GDPR and have a data sharing agreement to set forth the terms of the processing.
Data Subject Access Requests
The GDPR requires organizations provide access to the personal data in its possession about an individual, offer the ability to correct that personal data, export it, or delete it from the company’s possession. Organizations must be prepared to offer individuals the ability to exercise these rights with regard to their personal data at the organization.
Cybersecurity
Article 32 of the GDPR requires that companies ensure a level of data security from destruction, loss or unauthorized disclosure appropriate to the risk to data subject rights and freedoms. Organizations need to make sure that they are implementing appropriate technical and organizational measures to ensure encryption, pseudonymization and compliance testing, among other things, of data protection to ensure the privacy of an individual’s data.
72 Hour Breach Notifications
Controllers are required to notify the supervisory authority of a personal data breach without undue delay and where feasible not later than 72 hours after becoming aware of it. The notification requires disclosure of the nature of the breach, the approximate number of data subjects concerned, and the categories of personal records involved, among other things. If it is not possible to disclose all of the required information, then the information in the company’s possession must be provided and subject information provided in phases without undue delay.
Discover the Benefits of Privacy Management Software with Clarip
The Clarip data privacy software and team are available to help improve privacy and trust at your organization. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If you are working towards GDPR compliance, try our modular GDPR software. Start with our automated GDPR data mapping software, enhance your privacy program with DPIA software, and meet ePrivacy requirements with the cookie consent manager.
If California Consumer Privacy Act compliance in 2020 is on your radar, ask us about our CCPA software. Improve efficiency of responses to data subject access requests with our DSAR Portal, or provide the right to opt out of the sale of personal information with our consent software.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.
More Blog Posts on GDPR:
GDPR for Small Businesses Under 250 Employees
No Further Grace Period for GDPR Enforcement
Germany Demands More From Facebook on GDPR
GDPR Article 30: It’s all about the documentation
Security Requirements Under GDPR: More Than Meets the Eye
