By now I am sure that you have received several “for your protection, we have updated our privacy policy...” notices. Considering the importance of compliance and data security, it’s certainly no surprise that the General Data Protection Regulation (GDPR) has been a hot topic of late. However, it turns out that everyone is not prepared. In fact, 50% of global companies say they will struggle to meet the rules set out by the European Union (EU) unless they make significant changes to how they operate.
So what is GDPR? How does it affect YOU? And most importantly, what is Ontellus doing to stay at the forefront of data security and compliance as it relates to GDPR?
GDPR replaces the EU Data Protection Directive (DPD) adopted in 1995 and is intended to establish one single set of data protection and privacy rules across Europe. If your company collects data concerning any EU citizen, GDPR applies to you, irrespective of where you are located. The crux of GDPR is that it gives control back to EU residents over their personal data being held by companies. They have a right to know why the personal data is being processed, have access to it and have the ability to have it erased.
Personal data is defined as any information relating to a person that can be used to directly or indirectly identify that person. This includes clear identifiers like names, addresses, phone numbers and social media posts. Indirect information might include IP addresses, physical, economic, cultural or social identities that can be linked back to a specific individual. In fact, there is no distinction between personal data about an individual in their private, public, or work roles—all are covered by the regulation.
Companies are divided into one of two groups under the GDPR: data controllers & data processors. Data controllers determine the purposes, conditions and means of the processing of personal data. Data processors process personal data on behalf of the data controller.
A key part of the regulation requires consent to be given by the individual whose personal data is held. Consent means “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.”
Furthermore, the company or organization must be able to show how and when consent was obtained. This consent does not need to be explicitly given; it can be implied by the person’s relationship with the company. However, the data obtained must be for specific, explicit and for legitimate purposes.
In March 2016, the UK Information Commissioner’s Office (ICO) published Preparing for the General Data Protection Regulation (GDPR) — 12 Steps to Take Now. Some of these steps for organizations are summarized below:
1. Ensure key departments are aware that the law is changing, and anticipate the impact of GDPR;
2. Document what personal data is held, where it came from and with whom it is shared;
3. Review current privacy notices, and made any necessary changes;
4. Review procedures to address the new rights that individuals will have;
5. Plan how to handle requests within the new time frames, and provide the required information;
6. Identify and document the legal basis for each type of data processing activity;
7. Review how content is researched, obtained and recorded;
8. Make sure procedures are in place to detect, report and investigate data breaches;
9. Designate a Data Protection Officer to take responsibility for data protection compliance.
The GDPR forces companies to notify supervisory authorities of a data breach within 72 hours of the incident. Citizens affected by the breach should be notified “without undue delay,” according to the regulation. Failure to comply can result in fines of up to 20,000,000 Euros.
At Ontellus, we respect your concerns about data privacy and are committed to provide our customers, including those who may be EU citizens, with the most secure and compliant tools available in the industry.
Ultimately, the new regulation will be a welcome change for both consumers and global organizations. By keeping a more vigilant watch on data and how it is processed, we are all less likely to experience an information breach.
DOWNLOAD YOUR WHITE PAPER
HIPAA Compliance & Third-Party Records Partners:
Today's Security Landscape & Auditing Best Practices.
Topics: GDPR, Data Security
Melanie Pita, Esq.
Melanie Pita is a licensed attorney and industry executive with more than 20 years of experience in the claims and litigation field. As a graduate of both Indiana University Bloomington and Drake University Law School, Melanie has extensive experience resolving significant legal, business and compliance issues in C-Suites, board rooms and courtrooms. Melanie’s wide-ranging expertise includes litigation, insurance defense, claims management, medical malpractice, data privacy and security, HIPAA, SOC, electronic medical records, HITECH, healthcare compliance, contract negotiation, marketing, scrum/agile product development, and project management. Melanie currently serves as Chief Legal Officer for Ontellus, where she leads the in-house legal and product strategy teams.