Is Your Enterprise Ready for the GENERAL DATA PROTECTION REGULATION (GDPR)?
Any enterprise, irrespective of geography, that conducts business and retains personal information even if on just one citizen in the EU.
New data privacy mandates have been issued by European Union regulation.
GDPR compliance must be achieved by 25 May 2018.
Includes any organization anywhere in the world…if it retains information on any citizen in the EU.
To better protect any individual’s personal information, to secure rights for the individual over that collected information, and to force enterprises to follow a uniform scheme for data protection.
The GDPR empowers data subjects an increased level of control over their information. It also aims to improve the environment by ensuring that data controllers and processors are safe custodians of data through promoting behavioural change.
A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.
The GDPR provides for enhanced supervision by increasing the powers of the regulator as champion of the data & the business should look at these key points to stay on the safer side.
Controllers must implement appropriate technical and organisational measures and procedures to ensure that processing safeguards the rights of the data subject by design.
There are a few key steps if a business did not want to embark on a full review and overhaul just yet: (i) minimise data collected; (ii) do not retain that data beyond its original purpose; and, (iii) give the data subject access and ownership of that data.
This is really a right of consumers to erase their data.This is more far-reaching than a business might consider at first blush. A consumer or data subject can request to erase the data held by companies at any time and, if it has been passed on to any third parties (or third party websites), they would have to erase it as well.
For serious penalties,the GDPR allows for fines of up to €20 million or 4% of total worldwide annual turnover (whichever is higher), which would be a serious chunk of revenue of even the largest multinational.
There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.
If a personal data breach is likely to cause a high risk to the rights and freedoms of the data subjects, personal data breaches must be notified to the relevant data subjects without undue delay, unless the controller can demonstrate that encryption or other technology rendered the data unintelligible to third parties. So whether the data for 10 customers or 1,000,000 customers is lost, they would all have to be told. The potential for significant brand damage, litigation and media reporting of an incident is clear and could spell the end of a business overnight.
DPOs mustbe appointed in the case of:
(a) public authorities,
(b) organizations that engage in large scale systematic monitoring, or
(c) organizations that engage in large scale processing of sensitive personal data (Art. 37).
If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.
However, important projects need owners.Under the GDPR,a DPO is supposed to be responsible for creating access controls, reducing risk, ensuring compliance, responding to requests, reporting breaches and even creating a good data security policy. Businesses will need someone to act as the focal point in ensuring compliance with the GDPR and businesses will need to appoint DPOs sooner rather than later.