GDPR (General Data Protection Regulation) is the most wide-ranging data privacy law ever passed. It was designed to fortify and unify data protection for all individuals within the European Union. While it's a European data privacy law, its impact will be felt all over the world. Anyone involved in processing personal data about individuals in the EU must comply, whether or not they're located in the EU, the U.S., or anywhere else in the world. The fines for companies that fail to comply can range from 2% to 4% of global yearly revenue.
Just think about that. For many companies, these fines could reach into the billions. This wide-ranging space and the potential for huge fines are why the GDPR, unlike privacy laws of the past, is getting so much attention from global corporations. While taking suitable measure to comply with this new law may seem costly, its likely money well spent as its impact will linger to be felt for several years, if not decades to come.
The GDPR includes 99 different provisions directing companies on how to collect, manage, and process personal data while outlining key data rights for EU residents
What does the GDPR say? Well, in essence, it breaks down into four key concepts.
- Is your company lawfully processing personal data?
- Are you honoring your users' data subject rights?
- Are you meeting your company's responsibilities as a data controller or data processor?
- Are you designing privacy into your products?
Few significant changes GDPR will bring about are
Data Protection Officer (DPO)
First, many companies will be required to appoint a data protection officer, or DPO. This is an individual who has independent authority to oversee a company's compliance with GDPR.
GDPR will provide protections for children under 16 by requiring parental consent before a child's personal data can be collected by a company. If your organization collects or processes the personal data of EU children under 16, this is an issue you will need to look into. The age for parental consent does vary across EU countries and can be set as low as 13.
Data Breach Reporting
Another fundamental impact is the amount of time that companies have to respond to a data breach. The GDPR mandates reporting data breaches to an EU regulator within 72 hours. That's just three days of learning of an incident. This means companies need clear escalation paths to their security and legal departments when a breach occurs.
Privacy by design
Privacy by design is a key concept of the GDPR. Privacy by design means thinking about data privacy and its implications when you're developing products, features, and even marketing campaigns based on personal data.
There are quite a few ways an organization can demonstrate and document compliance
- Complete a privacy review process of products or features to ensure GDPR compliance before they go live. This is called as a Data Protection Impact Assessment or DPIA. DPIAs help document key decisions within an organization that has a privacy impact.
- Inventory the personal data it stores and collects
- Update existing policies and procedures or if none exists to develop new ones that outline how personal data will be protected, deleted, and processed.
- Provide training to ensure employees understand their role in helping to protect data and honor customer requests. This is important that without training, employees will not understand their responsibilities and meeting the standards of GDPR requires everybody in an organization to be on the same page about data privacy.
- Finally, consider setting up a help desk for users so that they know how to easily exercise their data subject rights. In case of online business, consider updating application settings you offer your users.
- Remember the golden rule. Treat the personal data of others with the same care as you would want your own data treated.
Most privacy issues can be resolved by following this simple rule.
Data subject rights, the lawfulness of processing, and the responsibilities of controllers and processors are key concepts of GDPR.
1. Data subject rights, or DSRs as they are often called, are rights designed to give individuals larger control over their data. DSRs are intended to give individuals control over who has access to their personal data and how it is used.
- The right to be forgotten, which means individuals can ask companies to delete their data.
- The right to access the data a company has about you.
- The right to portability which allows individuals to ask companies to provide their data to another company on your behalf.
- The right to the restriction of processing which allows an individual to require a company to stop processing their personal data.
- The right to rectify or correct data a company may hold about you. And
. Finally, the right to object to the processing of personal data about you at any time.
2. Lawfulness of processing
The EU requires companies to have a legal basis for collecting, using, handling, and storing individuals' personal data. There are several ways companies can prove they are lawfully processing data, but the three most common methods are
- Contractual necessity,
- Consent, and
- Legitimate interest.
The contractual requirement means there's an agreement in place between a company and individual about the processing of personal data. This basis applies whenever the collection of data is necessary to fulfill a contract. So, for example, when you contract with your cell phone company, they must collect your location in order to provide you with service.
Companies can also rely on consent, but under the GDPR, that bar has been raised. In the past, consent had to be freely given and informed, but now it must also be unambiguous and followed by an affirmative action.
Finally, legitimate interest is another legal basis. It requires companies to balance the enterprise's interest against the rights and freedoms of the individual whose personal data is collected. So, for example, if you are making an online purchase, a company needs enough information about you to complete the transaction and prevent fraud. That company could, therefore, rely on legitimate interest as a basis for collecting your name, credit card information, and address. The company's interest in processing the transaction and preventing fraud outweighs your interest in protecting the privacy of your name and address.
Controllers and Processors
The final key concept I want to discuss is controllers and processors. Under the GDPR, companies are broken into two groups. Companies that decide how personal data will be processed are controllers. If you're processing data at the direction of another entity, you are the processor. Imagine for a moment instead of talking about data here, we're talking about money. As a controller, you are answerable for keeping your money safe, deciding how to spend it, and who to share it with. If you're a processor, you're like a financial consultant. You’re holding the money on behalf of your client, keeping it secure, and only using it the way your client tells you to.
As a controller, if you don't meet certain duties set forth in the GDPR, your company runs the risk of incurring a high fine and even being sued in Europe. If a processor ill-treats data or makes the error, a controller can still be held accountable for failing to thoroughly evaluate the processor. If your vendor gets it wrong, under the GDPR, your company may also be caught in a bad situation.
GDPR makes a wmajor shift in the way companies need to consider about and act, with respect to data privacy. We live in the age of data, and the GDPR marks the beginning of respecting and protecting new age gold, personal data. Data privacy is no longer just a matter for security and legal teams to resolve, but something every member of a company needs to be aware of and act upon.
Authored By - Satish Kulkarni
TCS Cyber Security Practice