General Data Protection Regulation (GDPR)
As of May 2018, with the entry into application of the General Data Protection Regulation, there is one set of data protection rules for all companies operating in the EU, wherever they are based. GDPR is a new set of rules designed to give European Union (EU) citizens more control over their personal data. It aims to simplify the regulatory environment for business, so both citizens and businesses in the European Union can fully benefit from the digital economy.
The goal of GDPR is to provide more stringent data privacy and security
measures and more user-friendly disclosures and reporting on data
protection practices. The regulations aim to allow individuals to control
the use and storage of their own data, including any personal
identifiable information.
Under the terms of GDPR, not only do organizations have to ensure that
personal data is gathered legally and under strict conditions, but those
who collect and manage it are obliged to protect it from misuse and
exploitation, as well as to respect the rights of data owners - or face
penalties for not doing so.
What organizations does GDPR apply to?
GDPR applies to any organization operating within the EU, as well as any
organizations outside of the EU which offer goods or services to
customers or businesses in the EU. That ultimately means that almost
every major corporation in the world needs a GDPR compliance strategy.
Is GDPR a compliance framework?
No, the GDPR is a regulation document, and it is not a compliance
framework. At this point, there is no GDPR compliance attestation.
An organization should respect the GDPR, but there is no audit program
to confirm that the organization complies with the GDPR.
What are the types of data categories defined by THE GDPR?
The regulations break this data down into two categories:
-
Personal Data includes information like names, e-mail and postal addresses, phone numbers, usernames, IP addresses, and credit card numbers. Think: the data you might have to input when you order a product online.
-
Special Category Data includes information that reveals race or ethnicity, political or religious leanings and genetic, biometric and other health-related data. Think: information that could be mined from places like your Facebook feed or your Instagram posts.
What types of entities are defined by GDPR?
-
Controllers are merchants and other companies that interact directly with consumers, collecting personal data. The controller is the entity that makes decisions about how the data will be used, or processed.
-
Processors are companies that store and catalog that data on behalf of the controllers. “Processing,” which refers to any operation (manual or automated and including but not limited to collection, recording, organization, storage or use) that is performed on personal data, is the activity that triggers GDPR obligations.
What European Countries are Part of GDPR?
GDPR covers all of the European Union Member States, which includes: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden.
The United Kingdom is still part of the EU and thus governed by GDPR. This includes Channel Isles, England, Northern Ireland, Scotland, and Wales.
GDPR also includes European Economic Area Countries, such as Iceland, Lichtenstein, and Norway.
Are Canadian organizations affected by the GDPR?
Of course, if a Canadian organization treats or stores several personal data from EU citizens, this organization must respect the GDPR rules.
How much is a GDPR fine?
Under the GDPR, fines are administered by the data protection regulator in each EU country. That authority will determine whether an infringement has occurred and the severity of the penalty. They will use the following 10 criteria to determine whether a fine will be assessed and in what amount: gravity and nature, intention, mitigation, precautionary measures, history, cooperation, data category, notification, certification and aggravating/mitigating factors.
If regulators determine an organization has multiple GDPR violations, it will only be penalized for the most severe one, provided all the infringements are part of the same processing operation.
The more serious infringements go against the very principles of the right to privacy and the right to be forgotten that are at the heart of the GDPR. These types of infringements could result in a fine of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
Is a Data Protection Officer (DPO) mandatory?
Under the GDPR, appointing a DPO is mandatory under three circumstances:
-
The organization is a public authority or body.
-
The organization’s core activities consist of data processing operations that require regular and systematic monitoring of data subjects on a large scale.
-
The organization’s core activities consist of large-scale processing of special categories of data (sensitive data such as personal information on health, religion, race or sexual orientation) and/or personal data relating to criminal convictions and offences.
Yucca IT Consulting can help you
We can assist you throughout your preparation process to respect the European GDPR. With the help of your in-house pilot, a realistic timetable will be documented and accepted by your management.