EU GDPR (General Data Protection Regulation) - Some Key Points

On 25th of May 2018, one of the most sweeping changes business organizations have seen in several years has come into effect - the General Data Protection Regulation (GDPR).

GDPR applies to every company that has collected data on EU and UK citizens regardless of its location or size – even “small” businesses and those based outside the EU and UK.

While it’s partly a security regulation, it’s also a privacy regulation designed to protect individual citizens’ basic human rights to control what personal data companies collect and keep about them.

It mandates that privacy needs to be built into systems, products, services, policies and processes as a default and by design.

Which means data privacy needs to be considered while the system is being designed and developed and not as an addition or afterthought.

Here are some key points related to privacy rights of an individual in EU GDPR:
  • Flow of personal information from consent till “forget me” needs to be handled with absolute care
  • Clear understanding of the end-to-end mapping of the flow of data is required to ensure the above
  • GDPR significantly enhances the rights of an individual over his or her personal information on key aspects such as consent, access, processing, oversight, deletion, breach and transfer
  • Allows users to object when their data is used improperly for marketing or profiling
  • Gives users the “right to be forgotten” by a company, e.g., have all of their data erased
  • Gives users the right to have their data transferred to another company
  • Privacy Impact Assessment (PIA) is required where privacy risks are high

Here are some key points related to consent management in EU GDPR:
  • Under GDPR, users must give clear consent in affirmative for companies to collect and use their data, and companies can only use the data for the purpose for which it was collected
  • It also outlines special protections for children’s data, so an organization must ensure that its systems are accurately verifying ages and getting parental or guardian consent for children before processing data
  • Consent to use data needs to be obtained in an intelligible and easily accessed form that uses clear and easy-to-understand language
  • Withdrawing consent must be equally easy

Here are some key points related to Personally Identifiable Information (PII) in EU GDPR:
  • Personally Identifiable Information (PII) includes location, IP address, online identifier
  • PII definition is much broader now and includes information related to 
    • genetic and biometrics aspects
    • health and medical condition
    • sexual orientation
    • race, ethnicity
    • mental condition
    • cultural, economic, social aspects
    • political opinion
    • criminal records
    • religion
    • ideological beliefs

Here are some key points related to major privacy related organizational roles in EU GDPR:
  • Data subject – an individual who can be identified by reference to an identifier
  • Data controller – privacy stakeholder that determines the purpose and means for processing PII
  • Data processor – privacy stakeholder that processes PII on behalf of and in accordance with the instructions of a PII controller
  • Data Protection Officer (DPO) - appointment of DPO, a custodian like role, is mandatory for companies processing high volume of personal data and good practice for others
  • Data Protection Authority (DPA) - DPA is a supervisory authority and companies doing business globally will have to deal with one supervisory DPA

Here are some key points related to breaches and violations in EU GDPR:
  • Mandates that users and governing bodies be notified if their personal data is compromised.
  • Data breach needs to be reported within 72 hours to Data Protection Authority (DPA) 
  • Imposes significant fines on non-compliance
    • Level 1 - €10 million or 2% of the worldwide annual revenue of the prior FY, whichever is higher
    • Level 2 - €20 million or 4% of the worldwide annual revenue of the prior FY, whichever is higher
  • Data processor can also be directly held liable for any breach of personal data