GDPR and You
Melanie Howes, Information Security Manager, Vistatec
General Data Protection Regulation
The new data privacy framework was rolled out across the European Union (EU) in May 2018. It’s called the General Data Protection Regulation (GDPR). It has been designed to harmonize data privacy laws across Europe, to protect all EU citizens regarding data privacy and to reshape the way organizations across the region approach data privacy.
So, what does that mean exactly? Having read through all 88 pages and 99 articles of the regulation, the top 5 takeaways I have for you are:
GDPR not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the EU, regardless of the company’s location.
Handling personal or sensitive data
The definition of “personal data” is quite broad. According to the EU, personal data is any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address. There is also a definition of sensitive data, and expectations of even greater security and accountability in handling such information. Sensitive data is any personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Genetic data, biometric data, data concerning health, or data concerning a natural person’s sex life or sexual orientation are also categories of sensitive data.
The rules of valid consent have changed. Any form or document seeking consent from a user needs to be laid out in a simple, easy-to-understand way. Silence or inactivity does not constitute consent; clear and affirmative consent to the processing of private data must be provided. Think of your online sign up forms — yep, they’ll probably need to be redesigned. Also, if a data subject provides their contact details in order to take part in a webinar, that does not give the company licence to include their email in monthly newsletter mailshots unless the person explicitly said ‘yes’ they would like to receive those newsletters.
Access to your data
Data subjects will have the right to request all information a company holds on them (Subject Access Request) and also a right to be forgotten, i.e. removed from all of the places a company holds their data. This might include, for example, databases, file systems, back-up repositories, CCTV tapes or email distribution lists.
This is the big one catching the eyes of most financial controllers. Companies found in breach of the regulation could face fines of up to 4% of annual global turnover or €20 million, whichever is higher. These are much higher than any one country in the EU can currently impose.
Here at Vistatec, we are already ISO 27001 compliant so we had a head-start regarding a lot of what is required under GDPR.
For more information on GDPR, the EU website is: http://www.eugdpr.org
This article first appeared in VTQ Magazine.
Read more: https://vtqglobal.com/