So what is GDPR? How does it affect YOU? And most importantly, what is Ontellus doing to stay at the forefront of data security and compliance as it relates to GDPR?
GDPR replaces the EU Data Protection Directive (DPD) adopted in 1995 and is intended to establish one single set of data protection and privacy rules across Europe. If your company collects data concerning any EU citizen, GDPR applies to you, irrespective of where you are located. The crux of GDPR is that it gives control back to EU residents over their personal data being held by companies. They have a right to know why the personal data is being processed, have access to it and have the ability to have it erased.
Personal data is defined as any information relating to a person that can be used to directly or indirectly identify that person. This includes clear identifiers like names, addresses, phone numbers and social media posts. Indirect information might include IP addresses, physical, economic, cultural or social identities that can be linked back to a specific individual. In fact, there is no distinction between personal data about an individual in their private, public, or work roles—all are covered by the regulation.
Companies are divided into one of two groups under the GDPR: data controllers & data processors. Data controllers determine the purposes, conditions and means of the processing of personal data. Data processors process personal data on behalf of the data controller.
A key part of the regulation requires consent to be given by the individual whose personal data is held. Consent means “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.”
Furthermore, the company or organization must be able to show how and when consent was obtained. This consent does not need to be explicitly given; it can be implied by the person’s relationship with the company. However, the data obtained must be for specific, explicit and for legitimate purposes.
In March 2016, the UK Information Commissioner’s Office (ICO) published Preparing for the General Data Protection Regulation (GDPR) — 12 Steps to Take Now. Some of these steps for organizations are summarized below:
1. Ensure key departments are aware that the law is changing, and anticipate the impact of GDPR;
2. Document what personal data is held, where it came from and with whom it is shared;
3. Review current privacy notices, and made any necessary changes;
4. Review procedures to address the new rights that individuals will have;
5. Plan how to handle requests within the new time frames, and provide the required information;
6. Identify and document the legal basis for each type of data processing activity;
7. Review how content is researched, obtained and recorded;
8. Make sure procedures are in place to detect, report and investigate data breaches;
9. Designate a Data Protection Officer to take responsibility for data protection compliance.
The GDPR forces companies to notify supervisory authorities of a data breach within 72 hours of the incident. Citizens affected by the breach should be notified “without undue delay,” according to the regulation. Failure to comply can result in fines of up to 20,000,000 Euros.
At Ontellus, we respect your concerns about data privacy and are committed to provide our customers, including those who may be EU citizens, with the most secure and compliant tools available in the industry.
Ultimately, the new regulation will be a welcome change for both consumers and global organizations. By keeping a more vigilant watch on data and how it is processed, we are all less likely to experience an information breach.