The new General Data Protection Regulations come into force in May of 2018 and will bring about a higher level of data protection for European Union data subjects and lead to harmonization of laws across EU nations. By that time, non-EU companies must change their current data collection policies to comply with the GDPR if they process data of European residents.
Companies should review their data policies and look ahead to ensure the compliance of their business, products, operational plans, security systems, and privacy policies among others, with the new regulations, because even small application vulnerabilities can lead to serious consequences. One of the most serious and painful results of not doing so may be substantial penalties; companies can be held responsible and punished for their failure to comply with the new regulations. Fines can reach up to 4 percent of an enterprise’s annual income or up to EUR 20 million, whichever is greater.
To avoid such painful consequences, it is essential to be aware of what changes the General Data Protection Regulation will bring, and what the current condition of your organisation is in the context of the coming regulations.
Rapid notification of data breaches
Personal data security is extremely important for every organisation, and safeguards against data extortions, thefts or unauthorised transactions are steadily improving. Under the GDPR, in the case of a data breach, one of the obligatory activities is appropriate notification within 72 hours of the time when the breach occurs. The incident should be reported to the supervisory authority and to the data subject if this is necessary. The most reasonable solution for a company is to outsource problem management to a specialized external company which will be able to give its full attention to the problem and will evaluate the amount of damage.
Possibility to relocate personal data
The new data regulations give more security and control for private individuals to manage their personal data, for instance regarding data portability. This means that individuals whose data is in the enterprise’s database are entitled to transport their personal data from one location to another. The organization must allow for the transfer; moreover, the format and structure of all transferred personal information should be portable, adequate to a defined template and readable for the competitor’s system. Best practice requires a review of the whole information system to check the possibility of data export to a homogeneous template.
The right to erasure and to be forgotten
The right to erase personal data by private persons is not something new, but under the new General Data Protection Regulation it has evolved to a new form. Data subjects have the right to be forgotten and be erased from the records on demand. It is worth remembering that if data which has been collected and is managed by the organization is outdated, it must be removed and forgotten. The new regulations expand the reasons why data must be erased, for example when this data has been obtained unlawfully, when consent has been withdrawn, or when the storage period has expired. It is also worth mentioning the fact that the data subject has the right to be forgotten and erased from the records on demand. From the perspective of information systems, it is essential to be sure that your system is able to remove this data completely and permanently. Even though you may have deleted information, sometimes it may happen that this data still exists in in legacy form in your database.
Changes in classification of sensitive data
The GDPR expands the list of “special data” - that is, data revealing racial or ethnic origin, political opinions, religious affiliation, or health condition, and requiring heightened security and attention - with two new categories of data - biometric and genetic data which includes physical, physiological or behavioural traits. This kind of sensitive data may not be collected and processed in a way which allows it to uniquely identify an individual. However, in special circumstances, such as in the case of the express and voluntary consent of the data subject, or of a legal obligation to collect such data, this is permitted.
Cookies and IP can be personal data
The GDPR states that information coming from cookies and IP numbers, even if this information does not allow an individual to be clearly identified, can be recognised as a personal data because of the potential for an individual to be identified or singled out. Following with that decision, if organisation processing data, it should ensure an intensified security of information. The new regulations tighten rules regarding the acceptance of cookies; a statement informing that by viewing the site, the user accepts cookies will no longer be considered valid consent. The acceptance of cookies should be voluntary, and if users choose not to consent, the administrator should provide some level of service to those individuals as well. Additionally, if a user agrees to accept cookies, that user should have a way to withdraw that consent. Thus, a key issue is to make sufficient systems preparations to allow correct data processing and collecting.
Stricter rules for obtaining consent
A significant change concerns consent for data collecting and processing. In compliance with the GDPR, administrators should be careful to obtain consents from individuals for each purpose of data processing. The variety of purposes is large, including permission for service delivery and for targeting advertisement offers. Moreover, the legal conditions concerning data collecting should be transparent and written in plain language.
Data protection policy at the core of the system
The new rules obligate companies to make sure that all their business processes, information systems and services include data protection rules corresponding to the GDPR. The data protection policy needs to be taken into consideration at the beginning of the design process and built from the bottom up, and the organisation needs to be able to prove that they have done so. Moreover, the organisation must ensure that personal data is collected and used no longer than necessary, only for specific purposes, and disclosed to limited number of people.
One Stop Shop
The GDPR introduces a cooperation system between supervisory authorities for organisations which cooperate across the EU. International companies will only need to deal with the supervisory data protection authority where they have their main establishment. The Lead Supervisory Authority will be the most important authority organisation, but local authorities in urgent situations can step in. This cooperation will allow urgent cases to be dealt with appropriately.
Take the next step and prepare your company for changes
In the face of the GDPR, companies should consider how these new regulations may affect them and which key issues need to be addressed as a priority. The general aim of a data policy is to make sure that your organization addresses not only the legal aspect of privacy, but also to check if an appropriate IT infrastructure is in place, and if your company is properly prepared to manage and deal with data. In many cases, the new regulations obligate companies to adjust and improve systems in the organisation, so it is best to cooperate with an experienced and trustworthy IT partner who can help you optimise the whole environment.