GDPR readiness, implementation, compliance: Evolving and expanding data privacy protection
The European Union (EU) enacted the General Data Protection Regulation (GDPR) to govern the collection, processing, use and storage of personal data relating to any individual in the EU (citizens, residents and visitors) as well as EU citizens living abroad. The EU designed the legislation to provide EU citizens with greater protections and rights as individuals. The regulation’s requirements represent the most significant change to data protection in decades and will effect the way organizations manage and handle an individual’s personal information.
The regulation was effective May 24, 2016, but provides for a two-year period prior to enforceability, with a May 25, 2018, enforcement date by which organizations must comply with its requirements. Though compliance will largely be self-monitored, organizations must be able to demonstrate it upon request of the EU or local authorities.
A great deal of confusion (and some misinformation) is swirling around about GDPR. Use this primer to get up-to-speed and determine your best approach to compliance.
First things first: To whom does the GDPR apply?
The GDPR not only applies to organizations located within the EU, but also to all organizations processing and holding the personal data of any individual in the EU (citizens, residents and visitors) as well as EU citizens living abroad, including all organizations processing and holding the personal data of these individuals, regardless of the organization’s location.
The GDPR will be enforced beginning May 25, 2018. Noncompliance penalties are significant, with potentially far-reaching financial, legal and material or nonmaterial damages.
- Financial: Fines of up to 4 percent of annual global revenue or €20 million – whichever is greater.
- Material or nonmaterial damages: Individuals will have a right to recover material or nonmaterial damages, including: loss of control over personal data or limitation of rights, discrimination, financial loss, damage to reputation, loss of confidentiality of personal data protected by professional secrecy and “other significant economic or social disadvantage.”
- Legal: Individuals can choose to sue either the data controller or the processor, or both, and possibly anyone in the supply chain, with the introduction of joint and several liability between parties engaged in the same data processing.
What data is covered under GDPR?
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
What rights and requirements are stipulated in GDPR?
According to the EU’s full GDPR regulation document, the regulation includes 99 articles defining the rights of individuals and responsibilities placed on organizations covered by the regulation. The regulation addresses the following major elements:
- Accountability and compliance
- Data access, transfers and portability
- Data security
- Data protection roles
- Explicit content
- Individual rights
- Rectification & erasure
Understanding key GDPR terms and concepts
There are some key roles, terms and concepts you should know as you navigate GDPR compliance:
- Data controller: Defines how personal data is processed and the reasons for processing
- Data processor: Maintains and processes personal data records (this could be an internal role or outside firm)
- Data protection officer (DPO): Oversees data security strategy and GDPR compliance
- Data minimization: Involves limiting personal data collection, storage and usage to data relevant, adequate and necessary in carrying out the reason for which the data was processed
- Right to be forgotten: States that individuals have the right to have their personal data erased and to prevent further processing in certain circumstances.
- Privacy by design and privacy by default: Involves incorporating data privacy into the design of all projects as well as the entire lifecycle of the data
What to do now
- Engage senior leadership in setting the tone at the top and establishing a sense of urgency around GDPR readiness and compliance. Prioritization of the effort starts with leadership.
- Involve all stakeholders in the effort as the impacts and requirements reach far beyond IT to include finance, sales, marketing, operations, human resources, and others – any function that collects, analyzes or handles/makes use of personal information. Consider establishing a task force to coordinate and implement compliance through policies, procedures and systems.
- Evaluate your current cybersecurity management program in the context of your ability to address GDPR’s requirements. Does it include the data privacy and protection elements and controls to ensure GDPR compliance?
- Conduct a GDPR readiness and risk assessment, including evaluating your GDPR footprint and the potential costs of compliance.
- Consult legal counsel. Engage legal counsel and ensure counsel has a solid understanding of what your organization does (and the data it touches), then obtain legal advice on your organization’s priorities and strategies for remediation.
- Execute risk mitigation measures to ensure compliance and implement an ongoing monitoring and assessment process.
Baker Tilly’s Cybersecurity & IT Risk practice is well versed in the requirements of GDPR and would welcome a discussion about your organization’s plans for compliance and the potential pitfalls of the new regulation. For more information or to start a GDPR discussion, contact us.