Nashville Web Design | Programming | IT | Atiba.com

GDPR: What Your Organization Needs to Know

man with computer

The European Union Parliament is set to enforce the most significant piece of European data protection legislation in 20 years. The General Data Protection Act (GDPR) goes into effect on May 25 of this year and could impact any organization that has or plans to have website/app visitors from the EU.

The GDPR replaces the Data Protective Directive of 1995 with the intention to harmonize data privacy laws across Europe. It is a comprehensive data law written to protect all EU citizens data privacy, and it applies to any organization that processes personal data of those residing in the EU, such as tracking their online activities. It does not matter if an entity does not have a physical location in the EU or is not based in the EU, if that entity is currently servicing people in the EU, or plans to, it must comply with GDPR.

Personal data applies to any information that can be used to directly or indirectly identify the person or subject.

Key Changes

The biggest changes that the GDPR incites are an increase in territorial scope and a change in consent laws

  • Territorial Scope: The GDPR encompasses a large amount of people as it does not matter where the company is located that is processing information as long as users reside in the EU.
  • Consent: The GDPR will strengthen the conditions for consent. Under the GDPR, conditions for consent must for given in an intelligible and easily accessible form. People need to know what they are giving consent for without having to decipher legalese. Explicit consent will be required for processing sensitive personal data, but for non-sensitive data unambiguous consent is permissible.
  • Data Protection Officer: A DPO is only required for public authorities, organizations that engage in large scale systematic monitoring, or organizations that engage in large scale processing of sensitive personal data.

Additional Rights

The GDPR also grants additional rights to data subjects, which includes:

  • The right to be informed. Data collectors must be transparent about how they are using personal data and must inform subjects of their data usage.
  • The right of access. This right improves data transparency and empowers the data subject to be informed whether a company is using their personal data, and how and why it is being processed.
  • The right of rectification. When possible and reasonable, data subjects will be allowed to have their personal data edited if they believe it to be incomplete or inaccurate.
  • The right to erasure. Data subjects have the right to have their personal data permanently deleted upon request. Reasons for deleting data include, but are not limited to, a withdrawal of consent or a lack of relevance of the data to the original request.
  • The right to data portability. Data subjects have the right to the data they have previously submitted concerning themselves, and the ability to resubmit that data to another controller.
  • The right to object. Data subjects are allowed to object to their personal data being used.

Steps to Prepare

To prepare for the implementation of GDPR come May 25, 2018, organizations should take the following steps:

  1. Determine where data currently comes from and resides. Figure out what is done with that data.
  2. Determine what data the organization needs to keep and what data no longer suits its needs.
  3. Put security measures in place to guard against data breaches.
  4. Review all privacy statements and disclosures to ensure they are in compliance with GDPR.
  5. Establish procedures for handling the new rights available to data subjects under GDPR.

Not complying with the GDPR will result in fines of up to 4 percent annual global turnover or $25 million, depending on which is higher.

Comments are closed.