GDPR; It’s everyone’s beer or a cup of tea! Everyone is talking about it and there is also a high level of confusion on what it exactly is, and how the regulation is applicable to organisations around the globe operating in the EU.
In this first part of my GDPR blog series, I am highlighting basics: the GDPR definition, key facts, scope, responsibility & accountability. The second part of my GDPR blog series is about data breaches, penalties, & challenges related to GDPR. The 3rd & final part discusses the key requirements & best practices to address the GDPR requirements (Part II & III to be published in next couple of days…so stay tuned!).
So, let’s start with the facts:
GDPR – What is it?
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a Regulation by which the European Commission intends to strengthen and unify data protection for individuals within the European Union(EU).
- The GDPR introduces a common data breach notification requirement–within 72 hours
- It’s a regulation and not a directive! This means that it does not require any enabling legislation to be passed by national governments
- Appointment of a Data Protection Officer (DPO) is mandatory (in most cases)
- It applies to all organisations operating within the EU
- It introduces mandatory Data Protection or Privacy Impact Assessments (DPIAs)
- There is liability for all organisations that touch any personal data (analogue anddigital assets)
- It requires privacy implemented in systems and processes by design
- The GDPR introduces the concept of a one-stop shop (one regulation for all EU members)
Enforcement date: 25 May 2018 - at which time those organisations in non-compliance will face heavy fines
Key GDPR Facts:
• EU Definition “Personal Data”:
– ”Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address."
• GDPR introduces new obligations for any organisation that handles data about EU citizens - whether that organisation is located in the EU or not.
• It introduces data breach notification into European law for the first time. Notice time after a Data Breach: max. 72 Hours!
• It forces stricter responsibilities on organisations to prove that they have adequate processes in place to manage and protect personal data.
• The regulation does not apply to the processing of personal data for national security activities or law enforcement ("competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties").
GDPR Scope, Responsibility & Accountability:
• A single set of rules will apply to all EU member states. Applies to all organisations operating in EU.
• Data Protection Impact Assessments (Article 35) have to be conducted when specific risks occur to the rights and freedoms of data subjects.
• Risk assessment and mitigation is required and a prior approval of the DPA for high risks.
• Data Protection Officers (Articles 37–39) are to ensure compliance within organisations. They have to be appointed for all public authorities and for companies processing more than 5000 data subjects within 12 months.
I am approaching now the end of this blog. So, what’s the take here? In my view, we first need to understand the regulation with underlying scope & accountabilities as described briefly above. Secondly, we need to identify possible challenges and the impact of the regulation on an organisation – and this is my next blog!.
- Well...Isn’t it time now to say goodnight? Or is it time to dream about Part II of the series? Stay tuned!
Learn more at www.servicenow.com/grc
*Source & EU GDPR homepage: EUR-Lex