On the 12th of October, we joined forces with Informatica to organize an educational meetup about the EU General Data Protection Regulation (GDPR). We saw a great deal of interest from many small companies and large organizations alike, which made us realize that not enough has been said about the topic. During the event at Groningen, our Lead Consultant Margarita Dubovik shared some of her insight; she’s been working for a while with a client, on a project in line with other GDPR compliance preparations, which has given her the inside scoop on the topic. In this two-parter article, we will pick her brain and share some of the coveted expertise.
GDPR – Why should you care?
Set to come in May 2018, GDPR marks a significant move for the EU to unify and strengthen data protection for individuals within the borders of the Union. The new regulation will replace national data protection laws of all 28 EU member states, meaning that there won’t be any safe havens for companies and no way around it. Moreover, GDPR has international reach – it applies to any organization that processes data of EU individuals.
Given the fact that fines for non-compliance can reach up to €20 million or 4% of revenue (whichever is higher), you can see how GDPR motivates a fundamental change in the way companies manage personal data. It should be noted that organizations with fewer than 250 employees will see less impact and limited application, but will still be affected in a significant way.
GDPR – How did it happen?
There’s been a lot of discussion about how GDPR came into existence. Honestly, it was long-time coming. Organizations have always been following public sentiment (albeit lagging sometimes). We saw it in the 80’s and 90’s with more focus on employee satisfaction and well-being, then in 2000’s with environmental focus, and now with all of the data and privacy concerns the legislation was expected to come sooner or later.
On the EU side, GDPR was badly needed as there is no single set of rules about data in a political and economic union governing half a billion people. What is more, there is no control over collection and storage of personal data, not to mention that rules about consent are murky on a good day. There are no procedures for data accuracy and the bottom line is, things needed to change.
GDPR – Right to be forgotten.
One of the main elements introduced by the GDPR is the right to be forgotten. In brief, it is the right of an individual to request the deletion of his or her personal data. Companies now have the obligation to comply with any such requests. In case that data has already been made public, the company (or “controller”) must take reasonable steps, including technical measures, to inform other controllers of such request. This also means that third parties who have access to the data need to be informed as well.
What falls under the umbrella of “personal data” and “sensitive personal data”:
Personal data – “Any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.”
Sensitive personal data – “Sensitive Personal Data” are personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; DATA CONCERNING HEALTH(Art.4(15)) or sex life and sexual orientation; GENETIC DATA(Art.4(13)) or BIOMETRIC DATA (Art.4(14)). Data relating to criminal offences and convictions are addressed separately (as criminal law lies outside the EU’s legislative competence).
An interesting addition to the “sensitive personal data” is the inclusion of genetic and biometric data which have become more of an issue as of late. Furthermore, information about criminal convictions is now treated separately and subject to even tighter controls.
GDPR – What is the next step?
With all of this (and much more) being said, how far are companies with being GDPR compliant? 250+ employees’ organizations will now need a Data Protection Officer who can make certain that legal requirements are met. You will start hearing more and more about companies “mapping their information” to get a complete picture of the data they hold. Every recent technology developed by a company needs to also be compliant with the new law. Contracts will be even more strictly scrutinized to be bulletproof for this new data world.
If you want to know more about what you, as an organization, need to do, don’t worry! In the second article of our GDPR series we will look more in-depth at the checklist companies need to prepare in order to be compliant.