What is General Data Protection Regulation (GDPR)?
GDPR is an EU regulation regarding the handling of personal data. This new regulation replaced the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe. GDPR was approved by the EU Parliament on 14 April 2016. Enforcement date is 25 May 2018.
GDPR is a regulation that will replace Data Protection Directive 95/46/EC in EU for data privacy. GDPR is a broader regulation from the previous directive. Even the main principles of data privacy are included in this new regulation, in GDPR many changes and policies have been added to improve personal data protection.
The GDPR was designed to reconcile data privacy laws across EU countries, but at the same time to provide more protection and rights to EU citizens. GDPR applies to both customers and company employees.
The GDPR applies to EU based companies as well as companies that collect the data of EU citizens, regardless of their physical presence in the country. How to enforce companies outside of the EU to comply with the GDPR, and also follow the data protection rules to handle EU citizens personal data, is not very clear yet.
Note: GDPR is a regulation, not a directive. Regulations are mandatory and an automatic regulation/law in all EU countries. A directive is set to be implemented or adapted to Member States legislation.
To answer the question, Is your company ready for GDPR, you need to understand GDPR and which data is to be protected and handled.
All personal data from all EU citizens. Personal data includes names, addresses, phone numbers, account numbers, and in this new regulation, email and IP addresses. That type of data is typically called personally identifiable information (PII), mainly in the States.
Here, the European Union just used the term "personal data" for PII, which is a wider scope of personal data. But the EU and US have many differences in their privacy laws. In EU, privacy is hailed as a fundamental right, and in US those laws can be a balance between privacy and efficient commercial transactions. For example, in some cases in the US, Cookie IDs and IP addresses are not considered personal data.
The EU approach defines PII to encompass all information identifiable to a person, a definition that can be quite broad and vague. This divergence is so basic that it threatens the stability of existing policy mechanisms for permitting international data flows
Even for standard Internet form pages, company rules have been changed. Now information needs to be added to those forms so that a person can give consent to personal data collection.
One example is when companies inform you they can share your data with their partners, they are obligated to identify by name which partners, and also give you the right to redraw your consent.
Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
Preparation for the GDPR is complex and requires internal or external experts to properly prepare a business. To comply with GDPR regulations, companies will face a financial impact to their budgets. Since there are many changes to implement, companies need to make many changes in the way personal data is handled to ensure they are compliant with the regulation.
Some of these changes are just at an organization level (like DPO or Data Breach Notifications), but many of the changes must be done at a technical level and how business handle data (like Right to Forgotten, Privacy by Design, Data portability or Pseudonymisation).
When a business deals with personal data, these are the main questions for privacy and GDPR rules:
After the above questions are answered, you need to deal with that data, and you need to make the appropriate changes in your organization to fully comply with the next GDPR rules.
Data Protection Officer (DPO)
The company should designate someone to take responsibility for monitoring compliance with the GDPR and other applicable data protection laws, and be the point of contact between business and EU (Local Data Protection Authorities - DPA) for GDPR.
A DPO should have management skills, but also a competent expertise in data protection laws (GDPR) and be able to work with internal staff at all levels. The DPO's task is to ensure company data complies with GDPR rules.
Note: Be aware that "For public authorities, and companies processing large amounts of special categories of personal data, the appointment of a data protection officer (DPO) is mandatory."
Data Controller - Individual or identity who controls and is responsible for the keeping the personal data. Can be either individuals or "legal persons" such as companies or Government Departments.
Data Processor - A natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller. The concept of a "processor" does not change under the GDPR. Any entity that is a processor under the Directive likely continues to be a processor under the GDPR.
These are the main changes that your company needs to comply with and will need to handle in the future after GDPR is officially out.
Not complying with any of these rules (these are just the primary rules, full GDPR has 99 articles, so your company should comply to all) will could cost you and your company huge fines.
Those penalties are:
Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement
To read all about GDPR and the full regulation check EU official GDPR page. But you can also find useful readings in the following pages: GDPR Info (listed article by article) and also GDPR org portal GDPR Portal.
After we went through most of the GDPR changes and rules, most of them mandatory, can your company answer the question: Is your company ready for GDPR?
If we focus in my area, IT companies (the big boys or Small and Medium-Size) are more aware of this process. Companies like Google, Microsoft, Facebook, Amazon, VMware, etc., have already started an internal process to be compliant with GDPR.
Cloud Providers may say they are just "Data Processors" but also need to be compliant with GDPR. AWS or Azure is a "Data Controller" but also a "Data Processor," Small Cloud Providers are more "Data Processors." Like Cloud Backup companies (Veeam, Vembu their customers and Cloud Partners), all of them are preparing their business for the GDPR deadline. But some of them have already failed some initial tests regarding GDPR compliance. So even those big companies still have a lot of work to fulfil in order to comply with GDPR rules.
It is three months until the deadline and we still read that many companies are noncompliant with GDPR, or some of them don't know if they need to comply. Worse, some of them think that they are not obligated to comply with GDPR.
Most organizations do not fully understand the consequences of not complying with GDPR. According to SAS study survey (6 months ago), 45% of organizations have already started a plan to comply with GDPR, but 58% of the organizations are still not entirely aware of the consequences of noncompliance.
There is also another one-year-old study from Veritas regarding GDPR that shows similar statistics regarding businesses across Europe, the U.S. and the Asia Pacific.
Surprisingly (or not for the ones who know inside Government organizations) Government organizations have the lowest percentage (26%) regarding GDPR compliance. With these statistics, we realize there is still is a big gap between what needs to be done, and what has been done by companies.
Hope this helps you to understand GDPR.