Just what are the new GDPR Regulations?
The General Data Protection Regulation (GDPR) imposes new rules on organizations in the European Union (EU) and those that offer goods and services to people in the EU, or that collect and analyze data tied to EU residents, no matter where they are located.
- A regulation, not a directive
- Takes effect on May 25, 2018 (does not require EU member states to enact their own laws)
- Replaces a patch work of laws across the EU, (28-member states and 3 EEA member states)
- Applies to organizations globally who do business with, market products to, and gather behavioral data on EU residents
- Applies to both data processors and data controllers
- Sets fines and penalties
Schedule your free consultation with Lynx about GDPR!
Privacy by Design & by Default
- Minimize the collection of personal data and ensure the right security controls are in place
- Perform a Data Protection Impact Assessment (DPIA) for high risk data processing, or if they transfer data outside of the EU
- Minimize the types of personal data collected from data subjects, and the storage of that data
- Be capable of legally justifying collection of specific types of personal data
- Data Controller must conduct Data Protection Impact Assessment (DPIA) for high-risk processing (As well as the many other GDPR requirements, including data security, privacy bydesign, breach notifications, legitimate interest, purpose limitation and fair processing.)
- Controller must keep records of data processing activities
- You must obtain unambiguous consent (i.e. explicit);
- Opt-out is not permitted
- There is a presumption against consent
- Consent must be freely given, specific, informed, unambiguous, and given through a clear action
- Explicit consent is required for sensitive data
- Must be an option for data subjects to withdraw consent (as easy as it was to give consent)
- Specific consent required for each new data processing operation (unless substantially similar to previous operation)
Data Subject Rights
- The right to access and correct personal data
- Right to erasure
- Data subjects may request
- A copy of their personal data
- That their personal data be corrected
- That their personal data be deleted (“right to be forgotten”)
Controller may specify under which conditions that personal data is shared, corrected and deleted based on data subject requests.
- Consider when a data subject’s data is co-mingled with another data subject’s personal data
- Consider when a data subject’s data is part of a record that must be retained for tax purposes (invoices, contracts, etc.)
- Dealing with data subject rights is a legal question, not an information security question
- Applies to all organizations globally who collect, store and process personal data for EU residents
- Affects all organizations worldwide, no matter where in the world personal data is collected, stored or processed
Evidence of Risk Mitigation
- Demonstrate that they have implemented appropriate measures to mitigate privacy risks
- Maintain and potentially provide to regulators documentation regarding data protections implemented, test procedures and audit results
RISK BASED APPROACH & PENALTIES
A key objective of GDPR is to take a risk based approach to data privacy, to help organizations prioritize compliance while maximizing privacy and effective use of personal data. This will encourage effective methods for ensuring a high level of protection of the rights and freedoms of individuals. It ultimately, creates better outcomes and more effective protection for individuals. It enables stakeholders to dedicate resources to the areas where risks and potential harm for individuals are most significant and to mitigate these risks.
Fines of up to 20M € (~$24M) or 4% of organization’s annual global revenue, whichever is higher (data subjects can claim compensation for damages from data breaches).
Here is a helpful link to the regulation broken down by article https://gdpr-info.eu/