GDPR: This Pan-EU Privacy Regulation Has Arrived
The compliance deadline for General Data Protection Regulation (GDPR) has lapsed, but only 1 in 3 companies are ready, according to a new global survey conducted by ISACA.
The ISACA survey showed that this coming May 25, 2018 – the enforcement date of GDPR – only 29% of companies globally will be ready.
GDPR is a European Union (EU) regulation that requires businesses to protect the personal data and privacy of individuals residing in the EU.
Extra-Territorial Application of GDPR
While other country-specific personal data and privacy regulations are vague in terms of their extra-territorial applicability, GDPR makes it clear that it’s applicable even to businesses based outside the EU, so long as these businesses process personal data of individuals residing in the EU.
This means that even though the processing of personal data of EU residents takes place outside the EU, GDPR makes it clear that this is still covered under this regulation.
Canadian businesses, regardless of their size, are, therefore, covered under GDPR so long as they’re processing personal data of EU residents.
Businesses that violate GDPR can be fined up to €20 million or 4% of annual global turnover, whichever is greater.
4 Important Requirements under GDPR
If your organization processes data of EU residents, here are the 4 important GDPR requirements that your organization needs to comply:
- Privacy by Design
GDPR requires businesses processing personal data of EU residents to put in place a system that ensures “Privacy by Design”.
The regulation specifically states that organizations “shall … implement appropriate technical and organizational measures … in an effective way … in order to meet the requirements of this Regulation and protect the rights of data subjects.”
Article 23 of GDPR specifically calls for businesses processing personal data of EU residents to store and process only the data absolutely necessary for the completion of their duties. This specific provision of the regulation also requires businesses to limit the access to personal data only to those needed to process the data.
Before becoming a legal requirement under GDPR, Privacy by Design, as a concept, has existed more than a decade ago. Back in the 90’s, Dr. Ann Cavoukian, appointed as the Information and Privacy Commissioner of Ontario, Canada in 1997, developed the concept of Privacy by Design.
Cavoukian put forward years ago the following foundational principles of Privacy by Design:
Principle 1: Proactive not reactive: preventative not remedial
Principle 2: Privacy as the default setting
Principle 3: Privacy embedded into design
Principle 4: Full functionality: positive-sum, not zero-sum
Principle 5: End-to-end security: full lifecycle protection
Principle 6: Visibility and transparency: keep it open
Principle 7: Respect for user privacy: keep it user-centric
Much of these foundational principles of Privacy by Design are embodied in GDPR.
- Right to be Forgotten
Article 17 of GDPR enumerates the instances by which businesses need to erase the personal data of residents in the EU – a concept known as Right to be Forgotten.
Here are the conditions that entitle EU residents the Right to be Forgotten:
- Personal data kept by an organization is no longer relevant to original purposes; and
- Data subject withdraws consent for processing.
GDPR, however, provides that the Right to be Forgotten, has to be balanced to “the public interest in the availability of the data”.
The Right to be Forgotten concept has its legal roots in the EU. The concept gained popularity when a Spanish national filed a complaint before the Court of Justice of the European Union against a Spanish newspaper and Google to remove his personal data relating to his personal bankruptcy case as this had been fully resolved.
In May 2014, the Court of Justice of the European Union ruled in the landmark case that EU citizens have the right to ask search engines like Google to remove links that contain their personal data.
The court noted that that the Right to be Forgotten isn’t absolute and has to be balanced against other basic rights, including the right of expression and interest of the public to access information.
The landmark decision didn’t directly order the Spanish newspaper and Google to erase the personal data of the Spanish man, but rather leave the entities to decide whether or not the Right to be Forgotten weighs more than the other fundamental rights.
Under GDPR, an organization can only process personal data of EU residents when the subjects consent to such as processing. Article 17 of the regulation, for instance, requires organizations to erase personal data when the data subject withdraws consent and when data erasure outweighs other basic rights.
GDPR also requires organizations to provide intelligible and easily accessible consent form. This means that consent forms with long illegible and legalese terms are no longer valid under this regulation.
- Data Breach Notification
With the upcoming enforcement of GDPR, organizations will no longer be able to sweep under the rug breach of personal data of EU residents.
In case an organization suffers a data breach involving personal data of EU residents, the organization has 72 hours after becoming aware of the breach to report to the regulators. Notification to the concerned customers, on the other hand, has to be done “without undue delay” after first becoming aware of a data breach.
GDPR Enforcement Update
While GDPR’s compliance deadline is looming, a report by Reuters said that regulators who will police it aren’t ready as well.
Seventeen out of 24 GDPR regulators surveyed by Reuterssaid they initially lack the powers and lack the necessary funding to fulfill their GDPR duties.
While this news may be a welcome relief to organizations not yet ready as well for the enforcement of GDPR, organizations shouldn’t be complacent.
According to Forrester(PDF), when done well, GDPR will benefit both brands and customers. “Firms anticipate privacy becoming an organizing principle for their organization, shifting company culture and altering the way firms work, not just internally, but with their technology and marketing vendors as well,” Forrester in the paper “Embrace The GDPR To Gain A Competitive Edge” said. “Through this change, firms expect to see increased loyalty, satisfaction, and engagement from customers as well as brand differentiation and uplift for themselves.”
When you need help, we are a phone call away. Call today (416) 920-3000