General Data Protection Regulation (GDPR) is a regulation that requires businesses to protect the personal data and privacy of EU citizens. This regulation is consistent across all 28 EU member states and also addresses the use of EU citizens data outside of the European Union. The GDPR replaces the Data Protection Directive (Directive 95/46/EC) and becomes enforceable on 25th May 2018.
Types of private data under the GDPR
- Name, Address and Identification Numbers
- Data on your Health and anything associated to it.
- Race and Ethnicity
- Sexual Orientation
- Political Opinions
- Digital/Web data such as IP address, cookies, location.
- Biometric data
Businesses affected by GDPR
Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU. The specific criteria for organisations to comply with are:-
- If there is a presence in an EU country.
- Personal data of European citizens is stored or processed even without a presence in the EU.
- More than 250 employees.
- Below 250 employees but data-processing has an impact on the rights and freedoms of data subjects. Data processing is not infrequent, or includes certain types of sensitive personal/private data.
What else should i know about the GDPR?
- Companies that are non-compliant may face penalties of up to USD$23.4 million or 4% of their global annual turnover, whichever being the highest.
- Data can only be stored and processed only after the individual has given consent. The data can only used for the duration required to achieve the purpose/reason that the individual gave consent for
- Personal data must be easily transferable from one company to another.
- Personal data must be erased upon request.
- Data breaches must be reported to parties affected by the breach within 72 hours from the detection of the breach.
- GDPR does not supersede legal requirements for storage and processing of data; e.g. Health Records.
How do I start the process for compliance?
Get everybody involved: One department alone is unlikely to get everything right and it is best to get staff from across the organisation to to work together and understand what type of information is being stored a processed. It is important to understand which of your customers are affected (EU citizens) and how their data is currently being stored and processed.
It is also likely that updates will have to be made to any interactive processes that automatically collect Personally Identifiable Data (PII) to notify customers what data you are collecting and what you will do with it.
Data protection plan: If you already have one, have it reviewed to ensure it aligns with the GDPR regulations. If not, now would would be a good time to implement one. The Personal Data Protection Commission has a really good guide to developing a data protection management programme. You can find at this link. They also have fact-sheet on the GDPR here.
Also, if you are looking for effortless way to protect your communication data against breaches, please do look at the solutions we offer.