GDPR – It’s Personal.
May 25th might be your birthday or a key event in your life, but it undoubtedly strikes fear into even the smallest business owner. May 25th is the day when the European Union’s new General Data Protection Regulation (EU GDPR) becomes law.
From May 25th onward, all companies regardless of size or location (even cloud-based) must adhere to the same regulations under the GDPR when using EU-citizen data. The GDPR impacts all organizations with a presence in Europe, that collect and store personal data on EU individuals and offer goods or services to EU individuals, regardless if these individuals are customers, employees, partners, or suppliers.
Organizations based OUTSIDE of the EU and who possibly have no physical EU presence are in theory also governed by the GDPR if they store similar personal data or offer goods or services to EU individuals, whether free or paid.
The GDPR is comprised of 99 articles, and reaching compliance may appear to be a daunting and costly project. There has been a lot of news coverage of the possible fines that can be imposed should a company suffer a data breach or find itself non-compliant. The legislation, news coverage, and sleep lost by CIOs leading up to May 25th, 2018, will allow EU citizens greater control over their personal data.
The GDPR defines Personal Data as “any information relating to an person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person”.
In many cases, online identifiers including IP address, cookies, etc. will now be regarded as personal data if they can be easily linked back to the “data subject” (a living individual to whom personal data relates). There is no distinction under the GDPR between personal data about individuals in their private, public or work roles.
The first task in the GDPR compliance journey is to understand stored personal data – why it was collected; where it is held; who has access to it; the reason it is stored, how long it should be held for; how it flows through an organization including 3rd party providers/processors and ultimately how and when it is destroyed.
After understanding the personal data better, the next step is to document the findings. Non-compliance gaps can then be identified and policies developed to address them.
Privacy Notices also fall within the GDPR scope. Under the GDPR, rules on how organizations provide privacy information to individuals are more detailed and specific. The emphasis is on making privacy notices understandable and accessible to individuals, and organizations are expected to take appropriate measures to achieve this. The multi-page, ambiguous Privacy Notice with a checkbox at the bottom will no longer stack up.
It is also key to remember that even though most organizations’ data is mostly stored electronically, GDPR is not an IT responsibility – it reaches across all facets of business operations and accountability. GDPR compliance has to be adopted by the C suite level by emphasizing “privacy by design” and understanding and mitigating the risks of controlling and processing personal data. All data is crucial to business and personal data is no different.
There’s no question that GDPR will help organizations build trust by enhancing transparency, security, and enabling businesses to gain an advantage – embrace the change and the opportunity.
If it is your birthday today and you are an EU citizen you have received a fantastic present……you are back in control of your personal data.
Author: Mark McGuinness, Belfast delivery Lead