Are you ready?
The European Union (EU) has developed the General Data Protection Regulation (GDPR), which will impact the data used by all EU citizens, as well as organizations that serve and do business with them. The regulation takes effect on May 25, 2018 – however, organizations should start preparations now to plan their GDPR strategy and ensure compliance of this updated legislation.
What is the GDPR?
GDPR is a regulation aimed to protect the rights of citizens of the EU as they interact with businesses and agencies that request “personal data” to complete transactions. Personal data is any personal information relating to identifying a person, including “physical, physiological, genetic, mental, economic, cultural, or social identity” factors.
The GDPR was approved in April 2016 and is considered an upgrade of the EU 1995 Data Protection Directive (DPD) and the UK 1998 Data Protection Act (DPA). An upgrade was necessary due to the exponential increase of data collection, usage, and storage via digital interaction.
A Global Concern
While the GDPR’s objective is to protect the information of its citizens, it has a global impact.
The GDPR not only applies to organizations located within the EU, but it will also apply to businesses and groups outside of the EU if they offer goods or services to EU residents. GDPR applies to all companies processing and holding the personal data of persons residing in the European Union, regardless of the company’s location.
GDPR applies to all companies processing and holding the personal data of persons residing in the European Union, regardless of the company’s location.
What Are the Key Changes in the GDPR?
There are several key changes businesses will be subject to by May 2018 implementation. Among them include:
The GDPR does away with the criterion of number of employees and focuses instead on what organizations do with personal information. Any company, regardless of location, that processes personal data of an EU resident, is subject to the GDPR. Any non-EU businesses that process data of EU citizens must appoint a representative in the EU.
Fines for non-compliance of the new GDPR regulations are significant. Businesses can be fined up from 2% of global revenue for not having their files in order (Article 28) to 4% of annual global revenue or €20 million (whichever is greater) for breaching the GDPR.
Privacy by Design
The GDPR calls for the inclusion of data protection from the onset of the designing of systems, rather than as an addition. Controllers must hold and process only the data absolutely necessary for the completion of duties as well as limit access to personal data only to those necessary for processing.
Right to Access
Individuals can get confirmation of what personal information is being processed, where it is being stored, and why their information is being held. If EU citizens wish to know, a Controller must provide electronic copies of this data to the individual free of charge.
Right to be Forgotten
Individuals are entitled to have their data erased, ceased from further dissemination, and potentially have third parties halt processing of data. In the case that their data is no longer relevant to why they originally gave their information, they may also have their data erased.
The right to data portability allows individuals to obtain and reuse their data for their own purposes across different services. It allows them to move, copy, or transfer personal data easily from one IT environment to another in a safe and secure way.
FileFacets helps businesses with GDPR compliance.
FileFacets Privacy by Design
FileFacets provides the platform and methodology to help businesses comply with the GDPR. With years of experience in information governance, we provide the tools for acquiring data from multiple sources and identifying Personally Identifiable Information (PII).
The FileFacets Privacy Compliance platform allows you to scan multiple sources and repositories to locate and identify any Personal Identifiable Information (PII) or sensitive data that your organization may possess. The Analytics tool will constantly run so any new content that is being created that contains PII can be flagged, moved, deleted or secured in a safe environment.