Join LeanIX this coming November at the 4th annual EA Connect Day. Amongst the many topics covered, General Data Protection Regulation (GDPR) will take the center stage. American research firm Gartner predicts that by the end of 2018, more than 50% of companies affected by the GDPR will not be in full compliance with its requirements. Don't be one of them!
What IS GDPR?
The General Data Protection Regulation (GDPR) is a regulation from the European Parliament, the Council of the European Union, and the European Commission that intends to strengthen and unify data protection for all individuals within the European Union.
What does it mean for my company?
GDPR forces companies to revisit the way they handle personal data of their clients. This regulation standardizes data protection law across Europe in order to give individuals better control of their data. Accordingly, the same data protection laws will apply in all EU member states in future; data protection "gray areas" will no longer exist in Europe.
KEY CHANGES UNDER GDPR
The GDPR introduces many new data accountability obligations, data restrictions, and security parameters that every business in the world that processes European citizens’ information must comply with.
- Increased Territorial Scope
Arguably the biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the General Data Protection Regulation, as it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location. - Penalties
The fine schedule is as follows:
€10 million or 2% of global revenue of the prior year
If it is determined that noncompliance was related to technical measures
€20 million or 4% of global revenue of the prior year
Applied to cases of noncompliance with key provisions of the GDPR. - Consent
The conditions for consent have been strengthened. Companies will no longer be able to use 25-page terms and conditions documents full of difficult jargon and legalese. The request for consent must be given in an easily accessible form, with the purpose of data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
DATA SUBJECT RIGHTS
- Breach Notification
Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach. - Right to Access
The right for data subjects to question the data controller as to whether or not personal data concerning them are being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift in data transparency and empowerment of data subjects. - Right to be Forgotten
Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. Conditions for erasure include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. - Data Portability
The right for a data subject to receive the personal data concerning them, which they have previously provided in a 'commonly used and machine-readable format' and have the right to transmit that data to another controller. - Privacy by Design
Privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimization), as well as limiting the access to personal data to those needing to act out the processing. - Data Protection Officers
Your organization may be required to appoint a Data Protection Officer (DPO). Read more here.
There are many things to consider to comply with upcoming General Data Protection Regulation. Learn more about it at EA Connect Day, 21st November 2017 at adidas headquarters.