From email addresses to medical information through to political opinions, the introduction of the General Data Protection Regulation (GDPR) has forced businesses operating in the European Union to address how they are using the personal data of their customers. The EU introduced GDPR on 25 May 2018 to unify all member states’ approaches to data regulation, ensuring all data protection laws are applied identically in every country within the RU. It will provide citizens from organisations using their data irresponsibly and puts the individual in charge of what information is shares, where the information is shared and how the information is shared.
Only 78 percent of organisations are aware that they must comply with GDPR, even if they are based outside of the EU but hold the data of the EU citizens. Any business found breaking this new privacy standard could be fined up to 20 million euros or 4 percent of the company’s global annual turnover, which is why it is essential that affected companies understand the new regulations and how they apply. Read on for an overview of all you need to know to be GDPR compliant.
Understanding GDPR – the basics
So, who does GDPR apply to? The answer is simple, every organisation registered in the EU or with a subsidiary in the EU as well as organisations that sell goods or services to citizens of the EU. If your business stores, processes or monitors the personal data of EU residents, GDPR applies to you from its introduction on 25 May to 2018 and into the future. The parties affected include data controllers, who decide on the purposes and methods of processing personal data and co-ordinate this process as well as data processors, who are responsible for processing personal data based on the instructions of data controllers. Data subjects are also involved as this group of people are the EU citizens using goods and services provided by the data controllers.
To ensure that data stored by businesses adheres to the new regulation, it is important to understand exactly what kind of data needs to be protected. The GDPR defines personal data as any information related to a person that can be used directly or indirectly to identify that person. Data like name, address, email address, photo of that person are obvious, but data such as IP address, sexual orientation or medical information is also included in this definition.
New obligations for businesses
Since the introduction of GDPR, it is now the duty of all businesses to report personal data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach. Anyone affected by personal data breaches must also be informed as soon as possible.
In order to help manage the new obligations to safely process personal data, certain businesses are required to appoint a Data Protection Officer. These officers include the Controllers and Processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offenses. Betting sites and casinos like the new at Betfree.ie selection have come into the spotlight as they manage a lot of customer data from punters and new betting leads. These leads and the data goes with them must be managed properly, ensuring that any bets and gambling activities are kept under “lock and key” and remain secure from hackers. Organisations that should look to appoint a Data Protection Officer include public authorities, organisations that perform large-scale systematic monitoring and those that engage in large-scale processing of sensitive personal data.
Businesses must also understand when they are allowed to process personal data under GDPR. With the explicit consent of the individual, personal data processing is permitted. However, there are specific situations where companies can process this type of data including in situations where the personal data processing is in vital interests or public interest, where a company needs to comply with legal obligations or fulfil a contract with the individual or as part of a legitimate business interest.
The customer is king
Customers now have much more control over their own data – it is essential that companies have unambiguous, informed and explicit consent before processing any personal data. Under GDPR individuals now have the right to request access to their data free of charge and organisations must complete these type of requests within 30 days. In addition to this, customers within the EU have the right to be informed of who is processing their data and the right to request that their personal data is deleted and forgotten. Customers can also request that companies correct inaccurate personal data or transfer data to a recipient of their choice. Unlike previous regulations, individuals can consent or withdraw consent to the processing of their personal data or restrict companies from processing specific categories of personal data. Customers can also opt out of the use of their personal data by automated systems, such as artificial intelligence.
GDPR compliance checklist (11)
There are 11 crucial steps to ensuring your business is GDPR compliant. Can you answer yes to the following questions?
Awareness – do the key decision makers and key people in your organisation understand GDPR and how it affects your business?
Personal data you store – have you documented the personal data you hold, where it came from and who you share it with?
Communicating privacy information – have you reviewed your current privacy notices and made the necessary changes to comply with GDPR?
Individuals’ rights – have you checked that you have a process to ensure your procedures cover all the rights individuals have to their personal data?
Subject access requests – have you updated your procedures to ensure you able to fulfil any requests regarding this data?
Lawful basis for processing personal data – have you identified the lawful basis for your processing activity, documented it and updated your privacy notice to explain it?
Consent – have you reviewed how you seek, manage and record consent to store and process data from individuals and made necessary changes?
Children – have you checked whether the special protection for children’s personal data brought in by the GDPR affects your business?
Data breaches – do you have the right procedures in place to be able to detect, report and investigate a personal data breach?
Data Protection Officers – have you designated a Data Protection Officer to take responsibility for data protection and GDPR compliance in your organisation?
International business – if your organisation operates in more than one EU member state, have you identified a designated lead data protection supervisory authority and documented this?
GDPR tools to help
Once you have an understanding of how the GDPR applies to your business, obligations you must fulfil and have checked your compliance via the above questions, it is important to ensure your business operates in a GDPR compliant way in the long-term. Fortunately, there are some key tools available covering security, assessment, data governance & management and user consent available to help.
Best tools for security
THE ABSOLUTE PLATFORM
A unique endpoint security solution because it is always connected to every endpoint, giving you unsurpassed visibility, insight and real-time remediation capabilities for stopping breaches at the source.
Empowers enterprises to utilise collaborative platforms and resolve real-time security, management and compliance challenges, whilst solving information and data government challenges relating to GDPR.
ALIENVAULT UNIFIED SECURITY MANAGEMENT (USM)
The leading provider of unified security management and community-powered threat intelligence required to detect and act on the advanced threats of today.
Best tools for assessment, data governance and management
AVEPOINT PRIVACY IMPACT ASSESSMENT (APIA) SYSTEM
The world’s largest information privacy organisation. The APIA System integrates an advanced GDPR Detailed Assessment developed in conjunction with Microsoft.
BigID automates efforts to satisfy GDPR requirements with a centralised view into personal and private data across data repositories, helping companies understand the risks and their potential exposure of information through deep Data Science.
BMC DISCOVERY FOR MULTI-CLOUD
BMC offers a solution that automates asset discovery and application dependency mapping to given users a complete view of data centre assets and multi-cloud services and their relationships.
Best tools for user consent and compliance
CONSENTCHEQ GDPR COMPLIANCE DEVELOPMENT KIT (CDK)
PrivacyCheq leads the industry in innovative technology solutions covering the intersection of privacy and mobile devices. Their CDK is a solution for user consent and compliance.
A consent management tool that aids organisations in achieving data protection compliance for regulations like GDPR. Their user friendly APIs can deploy this tool within your own applications to capture user consent.
EVIDON UNIVERSAL CONSENT PLATFORM
Evidon is a leading consent and monitoring provider, focusing on simplifying digital governance. Their Universal Consent Platform is a patented transparency and consent solution for simplifying GDPR and other privacy regulations.
Whilst the introduction of GDPR requires companies to carry out an initial amount of work in reassessing their procedures and processes when it comes to personal data and making sure these meet requirements, in the long-term the EU believes that introducing an identical protection law throughout the union will collectively save companies 2.3 billion euros annually. Understanding the new regulation, how it affects your organisation and the tools you can use to help you manage personal data more safely will be fundamental in ensuring you are GDPR ready.