What is GDPR?
GDPR stands for General Data Protection Regulation. It is a regulation in EU law on data protection and privacy of European Citizens residing in European Union. It has a global reach with tough sanctions for non-conformance. It is all about providing assurances and rights to EU Citizens residing in EU, whose data is being collected by businesses to deliver a service or product.
- GDPR stands for General Data Protection Regulation
- It has evolved from Data Protection Directive, which came out in 1995
- Adopted in April 2016 with a two year grace period, which means that by May 2018 Compliance has to be in place.
- Address modern use of data
- Respect the individual’s right to their personal data
Cost of non-compliance
- Major: €20 million or 4% of annual global revenue, whichever is higher
- Minor: €10 million or 2% of annual global revenue, whichever is higher
- GDPR Article 83 explains the details
Parties involved
- Data Controller: Entity Collecting Data
- Data Processor: Entity processing data for the data controller
- Data Subject: Entity whose data is being collected by Data Controller to provide a service
- Data Protection Officer: Entity responsible for an organization to ensure data protection controls and necessary governance is in place.
Data types
Personal Data – Ability to identify an individual from the data
- IP Address
- Email address
- Address
- etc.
Special categories of Personal Data
- Date of birth
- Religion
- Gender
- Personal lifestyle/affiliations
- Genetic
- Race
- Ethnicity
- Health, etc
Rights of the Data Subject
- Consent
- Access
- Deletion
- Modification
- Portability
- Not to be subject to automatic data profiling
Breach notification
- Data Processor: Immediately notify Data Controller
- Data Controller: notify the authorities and Data Subjects of the breach within 72 hours
How am I impacted?
- If you are a business operating anywhere in the world and are collecting information about EU citizens residing in EU, then you have to comply with GDPR.
- Data subjects can be:
- Your employees
- Customers
- In Canada compliance to PIPEDA is not enough
- In United States compliance with state, regulations are not enough
Planning & Assessment
- Thorough assessment and understanding of data subject information:
- Where is it stored?
- Which data elements are being collected?
- What is the purpose of data collection?
- Assign a Data Privacy Officer to provide proper guidance and governance oversight
Implementation
- Implement policies, procedures, and governance mechanisms that address:
- Tracking of explicit consent at every stage, ie, when the customer agrees to provide their data and when they revoke access to their data
- Collect only the information that is necessary to provide the required service
- Breach notification for both the Data Collector and Data Processor
- How to serve Data Subjects’ requests to:
- Delete their information
- Update their information for accuracy
- Move their data
- Controls to protect the data in storage and transmission
- Privacy by design