At this point, you’ve probably heard the widespread chatter about the upcoming impact of GDPR, and for good reason. While this new regulation has been enacted by the EU, it will affect how organizations engage with data on a global level. GDPR is a looming presence in large part because of the prohibitive fines for non-compliance (see below). With only a few weeks before it takes effect, many organizations are left trying to understand the legislation, its scope, and how to prepare for it.
We at Smartsimple want to help you not only understand the nuances of the GDPR legislation but be confidently compliant with it. This is why we’ve broken down the different elements of the new law in our latest GDPR Workbook. The guide is structured around a set of self assessment questions designed to help you evaluate your preparedness for compliance with the law.
To get you started, here are 10 important things you need to know about...
1. What is the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (GDPR) is an EU legislation that is designed to protect the fundamental rights of citizens and their personal data. This law ensures that people not only know where their private data is kept but it holds organizations accountable and transparent with their practices. EUGDPR.org lists the key changes.
2. When is the GDPR compliance date?
GDPR will be officially enacted on May 25, 2018, in Europe, and it will have significant impact on organizations around the globe. This means you. This new regulation not only shifts how organizations store data, but it also changes how they relate to data in general.
“The new legislation creates an onus on companies to understand the risks that they create for others and to mitigate those risks. It’s about moving away from seeing the law as a box-ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organization.” — Elizabeth Denham, UK Information Commissioner
3. The Scope of GDPR Affects More Than Just European Organizations
GDPR affects all organizations processing (collecting, recording, storing, using, etc.) personal data (any information relating to an identified or identifiable natural person) if the organization is:
Has established controller or processor activities within the eu, regardless of where the actual processing takes place
If you're not established in the EU, you still have to comply if you are:
Offering goods or services to people in the EU
Monitoring EU residents
Obligated via contract
This means that ALL organizations who engage with data from EU-based clients have to be compliant with the new regulation.
4. GDPR focuses on advocating and protecting data subject rights
All data subjects (people and entities) also have new and explicit rights. They now have the right to access their stored data, the right to rectification, the right to erasure, the right to restricting of processing, the right to object, and the right to data portability. In essence, any personal data that’s being stored needs to be completely accessible and transparent. Personal data now covers a vast range of information including photos, bank details, social media names and posts, medical information and even very granular data like IP addresses.
5. “Controllers” and “Processors” are mainly impacted
Two main entities will be affected by the new regulation. Data controllers and data processors. A controller is an entity that’s making decisions about what data is collected and how that data is used. A processor is an organization directly involved in collecting, storing, and transferring that data. SmartSimple is a processor and our clients are considered controllers. As a processor, GDPR stipulates our obligations around how we store information and ensures that as processors, we have mechanisms that make data transparent and accessible to data subjects.
6. GDPR is all about lawful use and consent
When it comes to data collection, implied consent (an assumed permission that’s not explicit) is out the door and is replaced by expressed consent (explicit written permission). Data must also be processed with full consent, meaning that the subject must willingly give their data for the purposes of processing. This means that there can no longer be autofill and auto-acceptance webforms. If consent isn’t possible for the subject, it needs to comply with legal obligations to prevent fraud.
7. Data breaches are a big deal
If a data breach occurs, the organization must inform the proper authority within 72 hours, or face steep fines. This short deadline gives you the chance to report the nature of the breach and the approximate amount of people that have been affected by it. The people affected should also be notified, even if this takes place before reporting it. This response process needs to be an organized effort between the controller and the processor.
8. Non-compliance comes with a huge fine
The fine for non-compliance to the GDPR can be up to 20 million euros or 4% of your gross revenue (whichever of both is highest). In either case, this can put organizations out of business, so it’s imperative to comply.
9. The GDPR and Privacy Policies
The user of a website needs to have a clear understanding of how their data is being processed. On ICO’s website, it includes that “the information you provide to people about how you process their personal data must be:
concise, transparent, intelligible and easily accessible;
written in clear and plain language, particularly if addressed to a child; and
free of charge.”
10. The GDPR and Cookies
Cookie policies are also affected by the implementation of the GDPR. Cookies store unique data about a user. This means that cookie consent will now need to comply with the GDPR.
When data is collected, users will have to make an intentional action to signal that they consent to the data collected from cookies. This means that the current pop-ups used on many websites stating ‘By using this site, you accept cookies’ is insufficient. This also means that sites will need an opt-out option. One of the main points stated by the GDPR is that withdrawing consent must be as easy as permitting in the first place.