Here is quick summary of the EU GDPR as it applies to U.S. companies. This article defines what it is, who it effects and how to respond to it for U.S. companies trying to cope with this new european regulation.
Key GDPR Provisions
- What is GDPR – The EU GDPR, is a regulation that lays down rules relating to the protection of EU Personally Identifiable Information (PII) and covers the processing of personal data and rules relating to the free movement of personal data. The impact of GDPR (General Data Protection Regulation) and its compliance mandate requires a new personal privacy protection process for a broad set of companies.
- What is Protected – Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
- When Does it Go Into effect? May 25, 2018
- Geographic reach – The GDPR (and therefore the European privacy laws) also applies to organizations that are not located within the EU, but that do offer goods or services to, or monitor behavior of data subjects in the EU.
- Who Does it Effect – Companies who serve as controller organizations and Processors for Euro PII information.
- Fines – The higher of 2-4% of WW Revenue or 10-20M Euros.
- Regulation not a Directive – This a regulation, not a directive carrying the power of law. It is a binding legislative act. It must be applied in its entirety across the EU. Individual States or local authorities may also supplement GDPR rules.
- Accountability to Be Compliant – Lawfulness, fairness, purpose limitation and transparency are required by the EU. The GDPR introduces a new principle: accountability. Organizations will not only be responsible for adhering to all the principles, they also must be able to demonstrate compliance with them.
- Data Protection Officer – An independent internal DPO is required reporting to highest level within the company. The DPO is required to provide regular and systematic monitoring of data and usage.
GDPR Data Subject Rights
Companies must provide transparent information, communication and systems to exercise the rights of the data subject.
- Consent to use data
- Controller & Processing Information
- Right to Access Data
- Right to Rectification
- Right to Erasure
- Right to Restrict Processing
- Right to Control Your Data & Portability
- Right to Object
- Right to Compensation (in cases of misuse)
Compliance requirement are categorized in several areas: governance, accountability, and security and address the rights of data subjects, codes of conduct, and the management and security of private data.
Governance and Accountability
- Inventory of personal information
- Data minimization – minimize the data collected and stored
- Legal purpose for capturing and processing
- Security Measures Taken (see Security)
- Transfer limits – to 3rd parties
- Processing basis (Reason for, methods …)
- Storage time frame
- Must support the rights of the data subject including
- Transparent information, communication, and systems for the exercise of the rights of the data subject
- Information data access
- Right to Object
- Data Protection Officer – New role, must be assigned
Security: Data Protection Designed into Entire PII System
Take security measures to ensure the confidentiality, integrity, availability and resilience of processing systems and services. The GDPR risk assessment is designed to assess the rights and freedoms of natural persons, i.e. the risks that an individual’s privacy is compromised. Companies must implement “appropriate measures” to ensure a level of security appropriate for the risk.
GDPR Security Checklist for Compliance
- Security Risk Assessment to assess the risk that user privacy will be compromised
- Is Subject Data Security Sufficient to provide the following for processing systems and services:
- Pseudonymization and encryption of data
- Integrity & Resilience of data and processing system
- BDR facilities suitable to restore data in a timely fashion
- Assess risks of accidental or unlawful destruction, loss, alteration, disclosure or access to PII
- Regular testing, assessing and evaluating technical and organizational measures for security of the processing
- Ensure Control of parties acting on the PII to ensure they are acting as directed by the controller only
Getting GDPR Compliant
Getting compliant requires the implementation of a process that includes an information audit, two risk audits, planning, documentation, policies and procedures and ongoing monitoring and adjustments. Check out this article which includes some additional detail on the Compliance Process.
Check out the recent article on GDPR Impact on U.S. Companies