With the General Data Protection Regulation (GDPR) legislation set to go into effect on May 25th of this year, it’s no surprise that there has been a plethora of questions come our way regarding this data protection regulations. Digital Edge's VP of Compliance answers the most commonly asked questions!
What are the key benefits for this regulation?
A press release by the Economic Commission explains the GDPR goals as “reinforcing individuals’ rights, strengthening the EU internal market, ensuring stronger enforcement of the rules, streamlining international transfers of personal data and setting global data protection standards.”
Some benefits to EU residents include:
- The “right to be forgotten,” sometimes called the right to erasure. Under this legislation, EU residents can withdraw consent for their personal data to be used and can request that their data be deleted. The law requires companies to get explicit permission to process data, from cookies and IP addresses to phone numbers and DNA.
- Easier access to personal data. Under GDPR, EU residents have the right to know how their data is being used. It also makes it easier for individuals to transmit data between service providers.
- The right to know when your information has been compromised. Companies who collect data about EU residents must notify the authorities and subjects of the data breach as soon as possible.
- Data protection by default and design. Privacy-friendly default settings must be baked in during development of products and services – think of your email opt-in, mobile apps and social media settings.
- Penalties for companies that don’t comply. Non-compliance could result in penalties of up to 4% of the offending organization’s worldwide annual revenue.
What is meant by ‘personal data’ under this legislation?
Any information that can be used to identify a covered individual, including:
- Unique identifiers, such as social insurance account numbers.
- Location data that can be used to pinpoint an individual.
- Email address, phone number and other contact information.
- Characteristics specific to an individual, such as political opinions, religion and physical details.
- Specific categories of data, such as genetic and biometric information.
How do I now if my company needs to be GDPR compliant?
This is a common question; many businesses have questions to determine whether or not the GDPR would apply to their companies. Some were B2B businesses. Others employed less than 250 people. And many were U.S. businesses who do not sell products or services in the EU.
While there are many qualifications to the scope of GDPR applicability, here is the rule, plain and simple:
All companies that offer goods and services to EU residents or monitor the behavior of EU residents (even if it is a single customer) must comply with relevant obligations under the GDPR.
You must now maintain proof of how, when, where and why you collect and process their personal data.
This includes customer, supplier, partner and employee personal data.
What are the penalties for non-compliance?
Let’s start this one off with one of my favorite quotes:
"If you think compliance is expensive, try non-compliance." – Former US Deputy Attorney General, Paul McNulty
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements (i.e. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts). There is a tiered approach to fines; a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and user about a breach or not conducting an impact assessment. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.
Do data processors need ‘explicit’ or ‘unambiguous’ data subject consent – and what is the difference?
Consent must be clear, unambiguous, and provided in an intelligible and easily accessible form, using clear language. It must be as easy to withdraw consent as it is to give it. Explicit consent is required only for processing sensitive personal data – in this context, nothing short of “opt-in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice.
What about users under the age of 16?
Parental consent will be required to process the personal data of children under the age of 16 for online services. (For more information on how to implement this type of consent, please contact us today!)
How do I know if I need to appoint a Data Protection Officer (DPO)?
DPOs must be appointed in the case of:
(a) public authorities,
(b) organizations that engage in large-scale systematic monitoring, or
(c) organizations that engage in the large-scale processing of sensitive personal data (Art. 37).
If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.
Under GDPR am I required to report a data breach? If so, what is the time frame?
Data breaches which may pose a risk to individuals must be notified to the Data Processing Addendum (DPA) within 72 hours and to affected individuals without undue delay.
If many of you still have questions - And we want to help as much as possible, so, feel free to contact myself at firstname.lastname@example.org or to our Cyber Security Compliance team at email@example.com .