Richard Hibbert, CEO of SureCloud, explains what GDPR is, what it covers and how organizations can achieve and maintain compliance
Many U.S. based organizations that operate in Europe might not be thinking about how they will comply with the EU General Data Protection Regulation (GDPR), but they should as it comes into force in May 2018.
The GDPR covers organizations that are located inside and outside the EU, applying to any business with operations, customers, suppliers or partners within the EU. The GDPR seeks to protect the rights and freedoms relating to the processing of personal data of EU citizens – so if a company wants to sell to or interact with those citizens, the GDPR applies to them.
Unlike its predecessor (the EU Data Protection Directive) the EU GDPR has teeth; it has the ability to fine organizations if they fail to adequately safeguard customer data against a breach or fail to report it to the supervisory authority within 72 hours. The fine can be up to €20m, or 4% of a firm’s annual turnover, whichever is greatest and at the discretion of the body enforcing the GDPR. However, a more significant concern is the reputational damage an organization would suffer in the event of a significant incident, which could see customers flee in droves, especially for businesses that process personal data as part of their business offering.
In short, this is an issue that businesses need to sit up and take notice of. Now is the time to understand what liabilities and responsibilities organizations will have under the GDPR, how they can be enforced, and crucially, how businesses can prove that they are compliant with them.
What does the GDPR cover?
The GDPR governs the ‘processing’ of ‘personal’ data, and enforces a broad range of data processing related requirements.
Note ‘processing data’ is a broad term covering all operations performed on personal data including collecting, accessing, recording, storing, organizing, altering, retrieving, using, transmitting, combining, blocking or erasing. Also, the simple act of viewing data constitutes processing.
There are several broad general principles that apply to the processing of personal data. Personal data:
- must be processed fairly and lawfully (‘lawfulness, fairness and transparency’);
- must be processed only for specified, explicit and legitimate purpose(s) that are notified to the data subjects (‘purpose limitation’);
- are adequate, relevant and limited to what is necessary (‘data minimization’);
- must be kept accurate and up-to-date (‘accuracy’);
- must be retained only for as long as is necessary (‘storage limitation’); and
- data must be protected by appropriate technical and organizational security measures (‘integrity and confidentiality’).
Organizations processing personal data (controllers) are responsible for, and must be able to demonstrate compliance with the above principles (‘accountability’).
Lawful processing requires that before processing personal data the controller must first get affirmative ‘consent’ from the data subject. They also need to ensure their processing activities clear and transparent to the data subject – this can be achieved through mechanisms such as privacy statements.
It follows that to comply with these principles organizations will need to maintain detailed records of all processing activities. The next article will describe the challenges associated with maintaining such records, including compliance with regulatory obligations around exporting personal data outside the European Union.