The General Data Protection Regulation (GDPR) is the latest in a host of rules designed to protect privacy. It is significant because it affects companies that do business in Europe or collect data on Europeans. GDPR’s wide-ranging scope ranks it right at the top of significant regulations, sitting beside well-known requirements such as HIPAA and PCI.
Your business may be doing quite a few things required by GDPR already, because GDPR has similar goals to other regulations. While HIPAA is designed to protect patient information in covered entities and business associates and PCI to protect credit card information from card processing environments, GDPR aims to protect the personal information of Europeans. This overlap of objectives results in a considerable similarity in GDPR specifications to those of other regulations. However, GDPR does introduce some new requirements that companies need to understand.
Some fundamental aspects of GDPR that are distinct from other regulations include the consent requirement, rights to erasure and data portability, accelerated breach notification, and the requirement for a data protection officer.
GDPR mandates that companies obtain consent from individuals before storing their information. Consent must be specifically for how the data will be used. Organizations must first spell out how they will use an individual’s data and then obtain the approval for that use. Data use is then limited to only what the person allowed, and the organization must keep records on how information is used and processed. This information must be produced upon request by supervisory authorities, a local governing body that the business has associated with for purposes of compliance and reporting.
Rights to erasure and data portability
Under GDPR, individuals have the right to erasure and the right to data portability. Companies must remove the data they have on a person if requested to by the individual, and they must facilitate the transfer of a person’s information from their systems to another system using an open standard electronic format that is in common use.
Accelerated breach notification
Breach notification timelines are greatly accelerated in GDPR. The supervisory authority must be notified within 72 hours of the breach. This notification must include the relevant details of the breach including the number of victims impacted, and personal records disclosed, likely consequences to victims due to the breach, how the company is handling the breach, and what the company will do to mitigate possible adverse effects of the breach. This accelerated schedule will require businesses to have a much more robust incident response and investigative procedures as well as effective coordination of incident response, legal, investigative, and executive teams.
Data protection officer
Much like HIPAA’s privacy officer requirement, GDPR requires public authorities and organizations to have a data protection officer when their core business involves large scale processing or monitoring of individuals. The data protection officer must be a senior person in the organization who reports to executive management. They must have the freedom to operate independently from the rest of the company and be provided with adequate resources to perform their role.
We live in an incredibly globalized world, one where businesses of all sizes work with customers spread around the world. GDPR has a wide-ranging impact on these companies, so it is important to understand its requirements. Begin the process now to position your company to operate and thrive under GDPR. The deadline for companies to comply with this regulation is May 25, 2018.