The European Union’s General Data Protection Regulation (GDPR) was effective on May 25, 2018. The sweeping reforms under the GDPR built on the previous data protection principles in the EU member countries but modernized these principles to provide greater protection and rights to individuals regarding their personal information (PI). The GDPR’s data protection rules have served as a model for other comprehensive privacy proposals and laws in Brazil, India, Thailand, and California.
Who does the GDPR apply to?
The GDPR has broad reach, including extra-territorial reach. The GDPR applies to organizations (data controllers and data processors) that handle the PI of EU citizens and residents, whether the organizations are EU-based or not. The GDPR applies to organizations that are based in the EU, even if the PI is being stored or used outside of the EU, and to organizations that are not in the EU if:
- the organization offers goods or services to individuals in the EU; or
- the organization monitors their online behavior.
What are the GDPR’s key principles?
The following seven key principles under the GDPR provide guidance on how PI must be handled by data controllers and data processors:
- Lawfulness, fairness, and transparency: Processing must be lawful, fair, and transparent to the data subject.
- Purpose limitation: PI may be processed for the legitimate purposes specified to the data subject when the PI was collected.
- Data minimization: PI should only be collected and processed as necessary for the specified purposes.
- Accuracy: PI must be accurate and up to date.
- Storage limitation: PI may be stored only for as long as necessary for the specified purpose.
- Integrity and confidentiality: Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality.
- Accountability: The data controller must be able to demonstrate compliance with these principles.
What rights to data subjects have under the GDPA?
The GDPR prescribes the following eight data subject rights:
- Right to be informed;
- Right to access data maintained by an organization about the data subject via a data subject access request;
- Right to rectification;
- Right to erasure of personal data;
- Right to restrict processing of data;
- Right to data portability;
- Right to object; and
- Rights regarding automated decision making and profiling.
Do companies need to obtain consent from data subjects to process their PI?
Processing of PI is generally prohibited, unless it is expressly allowed by law, or the data subject has consented to the processing. PI may be processed under the GDPR only as prescribed below:
- The data subject has provided specific and unambiguous consent (such as an opt-in) to process the PI.
- Processing is necessary to execute or to prepare to enter into a contract to which the data subject is a party.
- Processing is required to comply with a legal obligation of the data controller.
- Processing is required to save someone’s life.
- Processing is necessary to perform a task in the public interest or to carry out some official function.
- A legitimate interest exists to process an individual’s PI.
What fines can be assessed under the GDPR?
The GDPR prescribes two tiers of fines based on the severity of the violation. Less severe violations may result in a fine of up to € 10 million or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher. More serious violations may result in a fine of up to € 20 million or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher. In the first 20 months since the effective date of the GDPR, the regulators have issued hundreds of fines to companies totaling more than € 114 million.
What do companies need to do to comply with the GDPR?
Companies need an integrated privacy management platform to manage GDPR compliance and to ensure that privacy is embedded as a critical component of their operations. The first step is to understand what PI a company obtains and maintains, where this PI is located and flows within and outside the company, and what measures are in place or need to be in place to protect the confidentiality and security of this PI. Companies must then ensure they can comply with each of the privacy principles outlined in the GDPR, including obtaining consent from data subjects and ensuring access to and portability of PI.
CENTRL’s Privacy360 (GDPR Edition) is the most advanced integrated privacy management platform that offers distinct modules for key components that are inter-related.
Benefits of CENTRL’s Privacy360 include:
- Comprehensive privacy dashboard for DPOs and executives to monitor overall status.
- Data Inventory and Mapping module that automates data mapping process using both eDiscovery and surveys.
- Data Subject Rights Management module that automates the process from data subject request to managing compliance through the full supply chain.
- Assessments module that automates the end-to-end process of DPIA and PIA’s related to processing activities and systems
- Third - Party Risk Management module for managing and monitoring the critical high-risk third-party relationships
- Issues Management module to manage gaps and issues from identification to remediation.
By using CENTRL’s Privacy360, your organization can easily manage a multitude of templates, checklists and questionnaires while providing the control to monitor, evaluate and create audit reports allowing you to focus on the results instead of the process.