A recent CompTIA survey of 400 US-based companies –published in early May–, revealed 52% are either still exploring the applicability of GDPR to their business, have determined that GDPR is not a requirement for their business, or are unsure. Just 13% say they are fully GDPR–compliant.
The General Data Protection Regulation (GDPR) has wide-reaching implications for many US businesses. Legal, Compliance, Marketing, and IT to work together towards compliance. Failure to do so can mean fines of up to 20 million euros.
As an IT manager, maybe you’re still studying how you can help your company to avoid coming under fire. Let's tackle the top 6 frequently asked questions regarding GDPR.
1. What is GDPR?
The General Data Protection Regulation (GDPR) is a regulation of the European Union (EU) that describes how the EU protects personal data, including the transfer of this data outside the EU.
The GDPR is officially known as Regulation 2016/679 of the European Parliament, which was adopted on April 14, 2016, and will become enforceable on May 25, 2018.
It replaces the Data Protection Directive (DPD), which became effective in 1995. One of the most significant differences between these two pieces of legislation is the GDPR doesn't require EU members to pass enabling legislation to become effective in that country.
2. Does GDPR apply to US-based companies?
GDPR is a regulation of the EU, so it isn’t binding on organizations located in the United States. However, it can have a major impact on US organizations that do business with European companies.
GDPR regulates the transfer of personal data the outside the European Economic Area (EEA), which includes the members of the EU, Iceland, Liechtenstein and Norway. In general, the GDPR prohibits organizations within the EEA from sending personal data outside the EEA unless the receiving party provides the level of data protection required by the GDPR.
The GDPR also requires these protections to travel with the data, which includes mechanisms such as adequacy decisions, binding corporate rules, certification mechanisms, codes of conduct, and standard contractual rules.
Implementation of the GDPR will therefore require non-European companies that handle personal data from the EU to make comprehensive changes to their business practices, if they haven’t already implemented the protective measures required by the GDPR.
3. How does it affect our data breach policy?
This regulation generally requires data controllers to notify data breaches to competent supervisory authorities without undue delay, provided the breach poses a risk to an individual’s rights and freedoms.
Article 33 of the GDPR specifies that the data controller must make this report within 72 hours after becoming aware of the breach. The individuals affected by the breach generally must be notified if the breach will adversely affect them, according to Article 34.
However, this requirement doesn't apply if the data controller has implemented technical or organizational measures that render the data unintelligible to unauthorized personnel. In other words, the data controller doesn't need to inform someone when their personal data is breached if that data is encrypted.
It’s important to highlight that IT managers play a critical role in ensuring GDPR compliance for their organization's mobile device management policies. By implementing effective security measures, such as encryption and access controls, IT managers can help protect personal data and mitigate the risk of data breaches.
4. How does the GDPR affect consent of personal data use by companies? How do I obtain consent?
GDPR defines consent with respect to data collection in Article 4. Article 7 generally requires individuals to provide their consent before anyone can collect their personal data. This consent must be specific to the data being collected and the purpose for which it will be used.
A child’s parent or custodian must grant consent to use a child’s data, which must be verified under the terms of Article 8. Data controllers have to prove consent, and provide all tools necessary for users to withdraw this at any time.
In general, it means that any time that you ask a user for their data, they must be aware and accept it willingly. This has a wide reach, from account creation; to communications, online forms, non-essential cookies, etc.
5. Do I have to appoint a Data Protection Officer (DPO) to comply with the GDPR?
The EU law requires all personal data to be processed by a designated data controller, unless this processing is performed by an independent judicial authority acting in its judicial capacity.
This means the controller needs to monitor all data subjects in regularly. Here's when the Data Protection Officer comes, he'll be the compliance officer to the data controller.
The DPO must therefore have a clear understanding of the laws and regulations affecting the processing of personal data. This person must also be proficient at managing critical business processes related to personal data, including general IT and data security practices.
DPOs are also responsible for their continuing education independent of the organization that employs them. A supporting document last revised in April 2017 provides more details regarding the DPO’s role under the GDPR.
6. How will I know if I’m GDPR compliant?
Articles 37 through 39 require DPOs to ensure their organizations’ GDPR compliance. This generally requires the continued review all privacy efforts, and the implementation of local privacy policies.
Article 25 specifies that a business's processes must integrate data protection measures into their design, including pseudonyms for personal data. This process involves transforming personal data in a way that prevents the data from being attributed to a specific subject without additional information.
The data controller is responsible for demonstrating that data processing activities comply with the GDPR even when another party performs those activities on the controller’s behalf. Article 35 addresses the Data Protection Impact Assessments that must be conducted when a data subject’s rights are subject to specific risks.
A national data protection authority (DPAs) must also approve the DPO’s risk assessment and mitigation procedures in cases involving high risk to the subject’s rights.
The Road Ahead...
As you can see, GDPR is something you want to stay tuned with. If you are, or plan to interact as a business, or offer a service in the EU, you're bound to adjust your privacy to EU's standards.
If you're an IT Manager, the ball is on your court! Take the time to asses your organization's stand and make sure you avoid future headaches due to bad privacy practices.