Introduction
The GDPR is a uniform legislation implemented across all EU countries, which applies to organisations, authorities and individuals. The purpose is to strengthen EU citizen control and protection of personal digital data while increasing transparency and the ability for European business to expand across borders.
GDPR will enter into effect 25th of May 2018. Failure to comply with the legislation may result in fines of the maximum of 20 MEUR or 4% of global company turnover.
The mindset of GDPR:
- The individual owns its personal identifiable information (PII)
- Companies must regard PII as borrowed, not owned
- Accountability - Companies must be able to show why and how PII is used
Stronger Individual Rights
- Transparency - The right to pull stored PII
- Rectification - The right to update information
- Forgettability - The right to be forgotten
- Portability - The right to have PII exported
Data Protection Principles
- All PII must be handled in a way that is legal, correct and transparent
- Data can only be collected for certain purposes:
- Consent (must be documented, specific, optional and revokable)
- Agreement
- Legitimate Interest
- The scale of collection must fit the purpose
- Data must be correct and up to date
- Data cannot be stored in a form that enables identification for a length of time beyond the purpose of the data collection
- Data must be processed in a safe manner
Technical and Organisational Impact
- Privacy by Design
- Privacy by Default
- Breach and Incident handling processes
- Designated Data Protection Officer
- Documentation of all Data Processing and Data Processors
Roles
The Data Controller
- The entity originally controlling the data
- Bear primary responsibility for compliance with EU law
- Must be able to demonstrate compliance with Data Protection Principles
The Data Processor
- Any 3rd party that processes data on behalf of the controller
- All data processors must fulfil GDPR Processor Requirements
Data Transfer
- Data transfer allowed within the EU and some selected countries, such as Norway
- Data transfer outside the EU is generally prohibited, unless:
- the jurisdiction in which the recipient is located is deemed to provide an adequate level of data protection
- the data exporter puts in place appropriate safeguards; or
- a derogation or exemption applies
Comments
0 comments
Please sign in to leave a comment.