General Data Protection Regulation (GDPR) is introduced by the European Union (EU) to safeguard the privacy data of European citizens. The EU GDPR is a data security regulation that was adopted on 14 April 2016, and became enforceable beginning 25 May 2018. GDPR compliance applies to organizations established in EU and the European Economic Area (EEA). It also addresses the transfer of personal data (formally called data subjects in the GDPR) outside the EU and EEA areas. It aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. This includes any organizations that monitor the behavior of data subjects or that offer goods or services to individuals within the EU and applies to any enterprise, regardless of its location.
Today many of the government organizations, private organizations, non-profit organizations etc. have access to our personal information and may be misused. With the GDPR coming in, there will be transparency and strengthening of the fundamental rights of individuals.
Data protected under GDPR
GDPR compliance address standards for all personal data, which is defined as any data that can be used to directly or indirectly identify a living person. It may include name, date of birth, address, financial information, social security number, full facial photo, or insurance information. Under GDPR compliance standards, “sensitive personal data” includes racial or ethnic origin, religious or philosophical beliefs, political affiliations, union memberships, bio-metric or genetic data, sexual practice or orientation, and any data concerning health.
For companies dealing with such ‘personal data’, it becomes crucial to implement the data protection requirements specified in GDPR within their systems. It requires a significant update of their privacy policies and contractual arrangements with EU counterparts and their internal data protection protocols and systems to make them GDPR compliant.
As part of these efforts, answers to the following questions need to be sought:
- What is our data footprint in the EU?
- What is the road-map for GDPR compliance?
- Do we have visibility of and control over what personal data we collect?
- How do we use it and who do we share it with?
- Have we adopted a cross-border data transfer strategy?
- Are we prepared to provide evidence of GDPR compliance to the privacy regulators?
- Do we have a breach-response plan that meets GDPR’s 72-hour notification requirement?
- Do we have a privacy-by-design program, documentation and escalation paths?
Become GDPR compliant
Data Protection Officer: GDPR requires most applicable organizations to assign a Data Protection Officer (DPO). Typically, the DPO will need to have a comprehensive understanding of security like monitoring compliance and training staff, providing counsel on data protection impact assessments. It’s important to review the relevant tasks before assigning or hiring for the role.
Data assessment: GDPR makes it essential to obtain a detailed assessment of the sensitive data and the associated workflows. The GDPR’s broad category may include names, ID numbers, location, online identifiers, and physical, genetic, economic, cultural, or social identities.
Psuedonymization: According to the GDPR, pseudonymization is a required process for stored data that transforms personal data in such a way that the resulting data cannot be attributed to a specific data subject without the use of additional information. An example is encryption, which renders the original data unintelligible and the process cannot be reversed without access to the correct decryption key. The GDPR requires for the additional information (such as the decryption key) to be kept separately from the pseudonymous data.
Security of personal data: GDPR Article 33 states the data controller is under a legal obligation to notify the supervisory authority without undue delay unless the breach is unlikely to result in a risk to the rights and freedoms of the individuals. There is a maximum of 72 hours after becoming aware of the data breach to make the report. Individuals have to be notified if a high risk of an adverse impact is determined
Privacy settings: GDPR Article 25 requires data protection to be designed into the development of business processes for products and services. Privacy settings must therefore be set at a high level by default, and technical and procedural measures should be taken by the controller to make sure that the processing, throughout the whole processing lifecycle, complies with the regulation. Controllers should also implement mechanisms to ensure that personal data is not processed unless necessary for each specific purpose.
Exceptions in GDPR
The following cases may or may not be covered by the regulation:
- Lawful interception, national security, military, police, justice
- Deceased persons are subject to national legislation
- There is a dedicated law on employer-employee relationships
- Processing of personal data by a natural person in the course of a purely personal or household activity