The deadline for compliance with GDPR has come and gone, and your organization is fully compliant. Right? The truth is, many companies are still non-compliant with GDPR regulations due to a variety of reasons including misinformation, avoidance, or just not having the time and resources to dedicate to understanding the regulation.
GDPR is an encompassing regulation and policy change that affects people, organizations, and governance. This regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
GDPR should have come as no surprise as The European Union has a history of establishing privacy norms, oftentimes much stricter than surrounding nations. Dating back to the 1980’s, the individual right to privacy versus the state’s need to collect information has been an ongoing issue, especially when that data is transmitted overseas. The GDPR was first proposed in 2012, adopted in 2016, and came into effect as of 2018. The GDPR outlines a set of strict regulations, processing controls, and punishments if regulations are not met or followed through.
The basis of GDPR is that individuals have a several fundamental rights when it comes to their data, but who is actually in scope for GDPR? The regulation defines those who are protected as a living human being, residing within the EU. If your organization processes (collects, stores, or utilizes) data that can identify a resident of the EU, you are in scope.
A recurring theme within GDPR is consent. When collecting any data on a data subject, you must ensure that you are receiving clear and explicit consent, allowing the data subject to revoke this consent at any time. Other rights that data subjects have under GDPR include:
Right to Access: Request and view information
Right to Object: Object at any type to processing of personal data
Right to Restrict: Process data only with express consent
Right of Notifications: Communicate changes in data processing to subject
Right to Decision Making: Not be subjected to automatic profiling/processing
Right to Data Portability: Obtain and move data between controllers without limitation
Right of Rectification: Object and correct data processing
Right to be Forgotten: Request erasure from controller and processor
But how does GDPR and consumer rights actually affect your organization? The burden of proof and responsibility is on your shoulder. You must be able to prove consent, notify promptly (within 72 hours) of a data breach, address any complaints within one month, and provide reasonable and clear safeguards for retention and transmission of data.
Additionally, there are new specialist roles within your organization to fill. A representative will be required if your organization does not have a physical presence within the EU. They will work in tandem with your organization, but are not liable for legal actions taken against it.
A Data Protection Officer is also required to perform functions that are a part of the GDPR regulation. The Data Protection Officer performs seven important functions:
1. Conducts Audits
2. Monitors and provides KPI on protection efforts to leadership
3. Educates employees on proper compliance
4. Trains staff on GDPR procedures
5. Acts as the point of contact between the organization and GDPR Supervisory Authorities
6. Establishes retention records and oversees the management of those procedures
7. Acts as Privacy Representative for data subjects and supervisory authority
In addition to new roles, there are new assessments that your organization will need to conduct internally: a Data Protection Impact Assessment and a Legitimate Interest Assessment.
The goal and focus of both assessments is to determine a true need and value for the proposed or current use of data, and to demonstrate that the proper controls and safeguards are in place to protect the data of citizens. These assessments will also act as a paper trail in the event your organization is audited.