Are You Ready for GDPR?

3 November 2017

A little more than six months from now, the General Data Protection Regulation (GDPR) will replace the existing Data Protection Directive 95/46/EC. This will launch the biggest changes in the data protection principles in two decades. Since the Directive was created in the mid-90s, it is severely outdated and no longer serves its initial purpose: to protect the data subjects and handle their personal information properly. Nowadays, the way we operate with digital information has drastically changed. Users register, create, store, and update their personal data all the time, and the frequency will not decrease. The software and embedded systems operate with these data and the interaction between them has become more sophisticated and ubiquitous. Furthermore, the recent highly-publicized data leaks are affecting more and more individuals and demonstrate that current security standards require attention. It was only a matter of time when the new Regulation got approved and it will be enforced on May 25, 2018.

So, what exactly is the GDPR?

General Data Protection RegulationBasically, GDPR is Europe’s framework for data protection and digital transformation economy (where personal data is a kind of business asset). As the official website says, it is designed to “harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.”

The Regulation defines in detail the principles for how controllers (i.e., organizations or brands that interact with the individuals) and their technical partners (processors) should set up their processes to comply with the new regime. Companies that don’t comply with it will be subject to significant fines and penalties up to €20 000 000.

Some experts see a reputational risk if brands have non-compliant data processing with regard to their customers’ personal data. It will not only affect their client relationship, but may also affect the brand’s image and even lead to loss of the its market share. From this point of view, brands still have a great potential to demonstrate that they respect their customers and value their trust and do whatever is necessary due to comply with the GDPR.

Some new rights for individuals that should be ensured

With GDPR, individuals (or data subjects) will get more opportunities to access the information that’s processed about them. Under the GDPR, a request for personal data can be made free-of-charge and this information “shall be provided without undue delays and in any event within one month of request”.

Also, individuals gain their right to erase (i.e., the right to be forgotten). This means that if the data subject withdraws his consent on which the processing is based, the controller shall have the obligation to erase personal data without undue delay.

Another important point is the mandatory notification on the data breach. According to the Regulation, controllers should notify supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it.

Which companies will be affected?

The GDPR is a concern of any company that processes the personal data of citizens (‘data subjects’) who reside in the European Union, regardless of where these companies are located. (the “data processors” and “data controllers”).

Who exactly are these controllers and processors? Below are the definitions provided in Article 4 of the GDPR:

  • A “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • A “processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

In terms of the GDPR, “processing” means any operation or set of operations which is performed on the personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

As you can see, the definition has a pretty broad list of possible actions on the information. So, if your company is involved in such processes, this means that you are subject to the Regulation and your business model should comply with its requirements and ensure that any processing of personal data is lawful and fair.

It’s clear that once the Regulation comes into force, it imposes more rigorous responsibilities on data processors and controllers when it comes to data security. They will be required to “implement appropriate technical and organizational measures to ensure a level of security”.

What is interesting is that the GDPR also provides a vision for a set of security activities that might be considered as recommended:

  • The pseudonymization and encryption of personal data
  • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
  • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing

The GDPR also encourages controllers to implement the principles of data protection by design and by default, where feasible. This means that controllers should design products with privacy in mind and those appropriate privacy-protective settings should be the default in any existing or upcoming product.

How to properly understand GDPR and prepare your company

Seeing the growing demand on GDPR compliance from small and large business, a bunch of firms have added in their portfolio consulting services and internal processes audit. They can even set up a plan and a schedule of how to adjust these processes and make them compliant with the requirements of the GDPR.

If you trust your staff more, you might want to have in-house experts on GDPR. It’s time to decide who will be involved in the game and outline a proper plan. It’s not a big deal now to find information on the subject matter. In addition to the actual text of Regulation, there are plenty of analytical articles, webinars, and infographic in the web.

Depending on your business domain and technical peculiarities, you may find appropriate information on websites or portals for partners, i.e., you may walk through such information from Microsoft, Amazon, Shopify, HubSpot, etc.

Search engines already have a lot of data on “GDPR training”. You will find a variety of courses and training programs from the search results.

Fans of smartphones may find applications in the AppStore and Google Play that provide the actual text of the Regulation in a convenient format, so can always have information handy.

The clock is ticking…

It is important to understand that the digital interaction between users and online businesses will inevitably change, whether they are directly or indirectly related to personal data processing. Therefore, if your company has not yet thought about the upcoming changes, it’s time to get acquainted with the GDPR and start a proper digital transformation of your business.