Where is GDPR applicable and does my organization need to be compliant?
The General Data Protection Regulation (GDPR) will replace the actual Directive (Data Protection Directive 95/46/EC). It will not apply until May 25, 2018, but it does require companies to start preparing now, taking into account some obligations may be onerous and time consuming to implement.
What is personal data?
Based on the definitions in Article 2 of Directive 95/46/EC, personal data is any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity.
What is the EU General Data Protection Regulation (EU GDPR)?
Since 1995, European legislation has not updated the old directive (Data Protection Directive 95/46/EC) – that directive was transposed into member countries, resulting in a differentiation of rules between the different countries of the European Union.
This new regulation (EU GDPR) was approved on April 14, 2016, by the European Parliament and the Council of Europe. It will be applied directly in each country, allowing for a consistency of rules between nations on the rights of citizens’ privacy.
Some of the most relevant points are the following:
- Taking into account the nature and purpose of data usage, both those who determine the purpose and means of the processing of personal data (Data Controllers), and those who in turn can manage it (Data Processors) to be compliant with the EU GDPR, will have to implement organizational measures and techniques to achieve an appropriate level of data security in terms of confidentiality, integrity, availability, and resilience of the systems that support them, as well as the regular validation of the effectiveness of these measures.
- Beyond the EU companies, the EU GDPR covers companies outside of the EU that offer goods or services to EU Data Subjects (“an identified or identifiable person to whom the ‘personal data’ relates”), even if for free, or that monitor the Data Subjects’ behavior within the EU.
- By the new regulation, organizations have to minimize data collection and retention and gain consent from consumers when processing data – in other words, minimize collection of consumer data, minimize with whom data is shared, and minimize how long it is kept. The goal is that organizations only collect or store information they need for the intended purpose, particularly with regard to personal data.
- The EU GDPR has strengthened the previous directive, allowing the right to be forgotten by the personal data owners and requesting the deletion of their data by organizations, including published data on the web. The EU GDPR states that “the (…) controller shall have the obligation to erase personal data without undue delay, especially in relation to personal data which are collected when the data subject was a child, and the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay.”
- In case of a personal data breach, the company will have to notify the organization responsible for this purpose, the Data Protection Authority (DPA) (“National supervisory authority, acting with complete independence, responsible for monitoring the application of data protection rules at the national level“), within 72 hours after having detected the violation. Mandatory notification of affected individuals depends on the possibility of unauthorized access to information. Notification does not need to be made to the DPA if the breach is unlikely to result in a risk to the rights and freedoms of individuals.
- If the organization is dealing with special categories of personal data on a large scale, it needs to appoint a Data Protection Officer (DPO) as part of its board.
- If these measures are not met, the penalties are high: up to € 20 million or, in case of companies, up to 4% of annual turnover, whichever is higher.
Does my organization need to be EU GDPR compliant?
There are two types of responsibilities regarding the protection of personal data: data “controllers” and data “processors.”
It should also be noted that the personal data of employees is included in the scope of this regulation.
So, the organizations that need to be EU GDPR compliant are:
- Companies (controllers and processors) established in the EU, regardless of whether or not the processing takes place within the EU.
- Companies (controllers and processors) not established in the EU offering goods or services within the EU or to EU individuals.
How can organizations prepare?
The impact of the EU GDPR is that personal data protection has to become a matter of vital importance for the top management of organizations. It is fundamental that the preparation of policies is based on an accountability framework and transparent rules to ensure rapid response to security incidents and consequent personal data leaks.
The adoption of standards such as ISO/IEC 27001 Information Security will be the basis to quickly achieve compliance with the EU GDPR.
To learn more on how ISO 27001 can help with personal data protection, please read our free whitepaper Privacy, cyber security, and ISO 27001 – How are they related?
To find out whether ISO 27001 implementation satisfies EU GDPR requirements, see this article.