The European General Data Protection Regulation (GDPR) comes into effect on May 25, 2018, impacting not only countries within the European Union (EU), but all companies that hold the personal data of EU residents, regardless of the company’s actual location. The GDPR will introduce stringent sanctions for non-compliance and inadequate controlling of personal data processing activities may result in financial penalties, class-action lawsuits, reputational damage, business disruption and revenue loss.
Bart Willemsen, research director at Gartner
Gartner predicts that despite the recent attention that the regulations have attracted, when they come into effect more than half the companies affected by the GDPR will not be fully compliant with its requirements.
There are five important changes organizations need to focus on to ensure compliance when the GDPR come into effect:
The GDPR applies to businesses in the EU and to all businesses outside the EU that are processing personal data in relation to the offering of goods and services within the EU, and that are monitoring the data behavior of subjects in the EU. Any organization processing personal data is essentially a “data controller”. These organizations should appoint a point of contact for the Data Protection Authority (DPA) and data subjects.
A data protection offer (DPO) will need to be appointed by many organizations due to the changes effected by the GDPR. When the organization is a public body, it is particularly important if the business is processing operations requiring regular and systematic monitoring, or has large-scale processing activities. “Large scale” does not necessarily mean huge numbers of data subjects — early drafts of the GDPR mentioned the processing of data on more than 5,000 subjects in any 12-month period.
When starting a new processing activity, decisions need to be made on purpose limitation, data quality and data relevance. This should also be applied to existing activities involving the processing of data and will help to maintain compliance in future personal data processing activities. Organizations must demonstrate that they are accountable and transparent relating to all decisions regarding personal data processing activities. “Third-party service providers (i.e. data processors) must also comply, and this will impact an organization’s supply, change management and procurement processes,” said Mr. Willemsen. ”Accountability under the GDPR requires proper data subject consent acquisition and registration. Pre-checked boxes and implied consent will no longer be sufficient. Instead, organizations will be required to implement streamlined techniques to obtain and document consent and consent withdrawal.
The transfer of data to any of the 28 EU member states will still be allowed, as well as transfers to Norway, Liechtenstein and Iceland. If the European Commission (EC) has deemed any of the other 11 countries as having an “adequate” level of protection, transfers to these countries will also be possible. Outside of these areas, organizations should use appropriate safeguards, such as Binding Corporate Rules (BCRs) and standard contractual clauses (i.e., “EU Model Contracts”).
Rights of data subject have been extended under GDPR. These include the right to be forgotten, the right to data portability and the right to be informed (e.g., in case of a data breach, or to receive an explanation, for example in machine learning systems’ automated decision making). “If a business is not yet prepared to adequately handle data breach incidents and subjects exercising their rights, now is the time to start implementing additional controls,” Mr. Willemsen said.
ActZero Managed Detection and Response (MDR) Platform helps to prepare you to detect if you can and have been breached. With our dedicated team of analysts, we monitor systems and provide incident response for many international countries that will be subject to the GDPR rules on May 25th.