GDPR General Data Protection Regulation
GDPR REGULATION (EU) 2016/…
OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
on the protection of natural persons
with regard to the processing of personal data
and on the free movement of such data,
and repealing Directive 95/46/EC
The GDPR, General Data Protection Regulation, sets out data security principles similar to those in the current directive, including: fairness, lawfulness and transparency; purpose limitation; data minimization; data quality; security, integrity and confidentiality.
Businesses must ensure that customers’ personal data is processed in a manner that ensures its security, including protection against unauthorized or unlawful processing, and against accidental loss, destruction or damage.
The regulation says a number of measures can be used to achieve data protection, including encryption.
In addition, here are eight important factors that U.S. organizations should be aware of:
- GDPR establishes hefty fines for non-compliance. An egregious violation, such as poor data security leading to public exposure of sensitive personal information, could result in a fine in the millions or even billions of dollars
- The regulation imposes detailed and demanding breach notification requirements. Affected companies here that are accustomed to U.S. state data breach reporting may need to adjust their breach notification policies and procedures to avoid violating GDPR.
- GDPR tightens the definition of consent. Data subjects must confirm consent through a freely given, specific, informed, and unambiguous statement or a clear affirmative action. In other words: silence, pre-checked boxes, or inactivity no longer constitute consent.
- The new regulation takes a broad view of what constitutes personal data, potentially encompassing cookies, IP addresses and other tracking data.
- GDPR codifies a right to be forgotten so individuals can ask your organization to delete their personal data. Organizations that do not yet have a process for accommodating such requests will have work to do
- GDPR gives data subjects the right to receive data in a common format and to ask that their data be transferred to another controller. Organizations that do not yet have a process for accommodating such requests will need to develop one.
- The regulation distinguishes between data controllers and data processors. Controllers are liable for the actions of the processors they choose. (The controller-processor relationship should be governed by a contract that details the type of data, purposes, uses, retention, disposal, and protective security measures; think Covered Entity - Business Associate under HIPAA.)
- GDPR increases parental consent requirements for children under 16.
Chapter 4: Controller and Processor
Data Protection by Design and Default
Chapter 4 of the GDPR not only contains the first mention of data protection by design and by default (Article 25), but also houses Article 30, which outlines record keeping requirements for both data controllers and processors; Article 32, which requires the implementation of appropriate technical and organisational security measures; and Article 35, which sets out the requirements for conducting Data Protection Impact Assessments (DPIAs).
Under Article 32, data controllers and processors will be responsible for considering the nature, scope, context, purposes, and risks associated with processing personal data, and will be required to implement technical and organisational measures to ensure protection.
The most effective way for controllers to comply with this is through implementation of data protection by design and by default, a critical aspect of any privacy program. Data controllers must also ensure that, by default, only personal data which are necessary for a specific purpose are processed—this applies to the amount of data collected, the accessibility of the data, storage length, and the extent of data processing.
Article 30 explains that both controllers and processors need to maintain records of processing activities — a new requirement for data processors. It is also expected that these records will be critical to organisations in successfully meeting other requirements of the GDPR, such as identifying and understanding the flow of international data and ensuring that adequate safeguards are in place.
Article 35 addresses the necessity to evaluate the impact that a specific data processing activity might have on the rights and freedoms of individuals. Data Privacy Impact Assessments (DPIAs) are a crucial element of privacy by design and are vital to identifying potential risks and certifying the accountability of a controller’s efforts to safeguard personal data.
The Data Protection Directive (officially Directive 95/46/EC) on the protection of individuals with regard to the processing of personal data (PII (US)) and on the free movement of such data, is a European Union directive adopted in 1995 which regulates the processing of personal data within the European Union. It is an important component of EU privacy and human rights law.
The General Data Protection Regulation, adopted in April 2016, will supersede the Data Protection Directive and will be enforceable starting on 25 May 2018.