Blog Brexit compliance GDPR IT insights Privacy Security

Complying with EU Laws for Personal Data

With the EU’s Basic Data Protection Regulation (GDPR) now in effect, GDPR preparedness ought to be prime of thoughts for companies in all places, not simply these based mostly within the European Union (EU). This guide will take you through the fundamentals of GDPR, together with the seven rules that drive regulation and enforcement.

Table of Contents

What Is GDPR Exactly?
Prime Questions About GDPR
Deep Dive Into GDPR:

Precept 1: Transparent Processing of Data
Precept 2: Limitation of Collected Data
Precept three: Reduce Collected and Saved Data
Precept 4: Personal Data Must Be Correct
Precept 5: Limit Storage of Personal Data
Precept 6: Integrity and Confidentiality
Principle 7: Accountability

Create A GDPR Motion Plan

What is GDPR, Precisely?

The Basic Data Protection Regulation (GDPR) is new knowledge protection regulation for all 28 Member States in the European Union.

GDPR units a high commonplace for knowledge safety, and applies to any group that processes the private knowledge of EU residents, whether or not that group itself is predicated within the EU or not. This is essential, because the requirements set by GDPR are far more stringent than these set by current U.S. privateness legal guidelines. And the penalties for non-compliance are harsh. As much as USD $24M, or four% % of worldwide annual turnover, whichever is larger.

Designed to exchange the hodgepodge of knowledge safety laws and authorities at present relevant in the 28 EU member states, GDPR will create a homogenous regulation that may apply throughout the EU.

The reform modernizes the rules from the EU’s 1995 Data Safety Directive and applies to non-public knowledge of EU citizens from that’s processed by what the regulation calls knowledge controller and knowledge processors (extra on that later).

Prime Questions on GDPR

When did GDPR go into impact?

GDPR was signed into regulation in April 2016 and went effect on Might 25th, 2018. After that date, any group that collects, stores, or processes the private knowledge of EU residents must comply with the Common Data Protection Regulation.

What is Personal Data?

Personal knowledge is any knowledge which by itself, or when mixed with different knowledge that the possessor can doubtless access, can be utilized to determine a person. To a cybercriminal, the collection, processing, and transfer of private knowledge makes organizations across numerous industries profitable targets for phishing, denial of service, ransomware, and superior persistent menace assaults.

What are knowledge controllers and knowledge processors?

Controllers and processors are two several types of organizations that GDPR applies to-namely, people who “control” personal knowledge, and people who “process” it. A knowledge processor in GDPR is outlined as any organization that collects, processes, stores or transmits personal knowledge of EU citizens. A knowledge controller is the organization that directs the processor’s activities.

GDPR-processor

Meaning the info controller defines the how and why of private knowledge processing, and the info processor acts on the controller’s behalf. For example, a bank that outsources verify imaging processes is the info controller, whereas the outsourcer is the processor.

Beneath GDPR, knowledge processors want to take care of an audit path of all processing activities, however it’s the duty of the info controller to guarantee that each one of their processors are in compliance. Controllers aren’t relieved of their knowledge protection obligations if a breach occurs in a processors community.

Transfers of private knowledge between controllers and processors have to be safe, and the info have to be protected whereas it’s processed. In certain instances, GDPR also can require the info processor to delete private knowledge that is not wanted after processing.

Who has to conform with GDPR?

The principles of GDPR apply to any group that collects, stores or processes the private knowledge of EU residents.  It doesn’t matter the place your company is headquartered. Even corporations that shouldn’t have a bodily presence within the EU must comply with GDPR.

We’re already HIPAA compliant – will we be ok for GDPR?

Not exactly. There are some overlaps, but GDPR is a a lot bigger and extra far-reaching piece of legislation. You’ll be able to read more concerning the differences between the 2 right here.

GDPR-vs-HIPAA-layers

What are the penalties for non-compliance?

The results for non-compliance with GDPR are severe, as much as 20 million Euros, or four% of worldwide annual turnover, whichever amount is greater.

Would Brexit make the UK exempt from GDPR?

No. Even with Brexit, UK companies should comply with GDPR. The date for withdrawal from the EU is later than the Might 2018 date that GDPR comes into impact. Thus, UK businesses can be underneath the jurisdiction of the EU and subject to GDPR. After Brexit, UK enterprise will nonetheless should comply in the event that they acquire, retailer, or course of the private knowledge of EU residents.

Still have questions?

Take a look at our Procrastinator’s Guide to GDPR for a more in-depth breakdown of GDPR and its implications.

Deep Dive on GDPR

GDPR is built on seven knowledge safety rules that, collectively, be sure that the rights of the individual are central to the collection and processing of private knowledge.

The brand new laws strengthen users’ control over how personal knowledge is processed and saved, and grants key rights and freedoms corresponding to the best to consent, the appropriate to be told, the best to knowledge portability, and the proper to erasure of private knowledge (i.e. the “right to be forgotten.”)

GDPR-7-takeaways

Principle One: Truthful, Lawful, and Clear Processing of Data

The primary principle of GDPR knowledge safety act is the requirement for “fair, lawful, and transparent processing of data.” So what does that imply?

Beneath this rule, GDPR mandates that a knowledge controller have to be capable of offering a knowledge topic (ie. the consumer) with detailed details about his or her private knowledge processing.

To be compliant, this knowledge have to be introduced in an easily accessible manner, and in clear, concise, and transparent language. In other words, say goodbye to the 100-page consumer agreement.

To satisfy necessities for transparency, knowledge controllers must inform knowledge subjects earlier than any knowledge is collected, and each time any modifications in knowledge collection processes are made, and eventually, the info subject should consent to knowledge processing.

This consent can take several types, however it have to be given from a knowledge subjects’ personal free will, and constructive action have to be used to indicate consent (i.e. clicking a checkbox). Meaning implied consent is an enormous no-no beneath GDPR.

The regulation additionally states that private knowledge collected and used for processing have to be “adequate, relevant and limited to what is necessary for the purposes for which they are processed,” and the period for which that knowledge is stored is stored to a “strict minimum.”

Precept Two: GDPR Mandates Objective Limitation of Collected Data

Beneath the second knowledge safety principle of GDPR [Article 5, clause 1(b)], it’s mandated that private knowledge shall be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.” Any further processing of that knowledge should not be “incompatible with the initial purposes.”

Ensure you are compliant with GDPR. Obtain this free guide.

In plain English, this implies you need a reliable, lawful objective for accumulating and processing consumer knowledge—no more scooping up knowledge wholesale simply because you possibly can. When you gather personal knowledge that doesn’t have a selected objective, you could find yourself out of compliance.

Likewise, beneath GDPR when you’ve collected and processed knowledge for your objective, you might not course of that knowledge for an unconnected objective. For example, knowledge collected for analysis functions couldn’t be processed and bought for advertising functions.

Beneath GDPR, personal knowledge is any knowledge which by itself, or when mixed with different knowledge that the possessor can possible entry, can be used to determine a person. Meaning identify, telephone number, IP tackle, e-mail… the whole gamut.

GDPR-3-players

In the current Facebook scandal, which brought Mark Zuckerberg to testify in front of members of U.S. Congress and the E.U Parliament, it was revealed that British political consulting agency Cambridge Analytica used knowledge collected for research functions to target hundreds of thousands of People and EU residents for political ads in the course of the 2016 election cycle. Beneath the new restrictions enforced by GDPR, Cambridge Analytica and Facebook can be subject to hefty fines-up to four % of annual turnaround, worldwide.

There’s presently no such function limitation regulation on the books in the US.

Principle Three: Companies Must additionally Reduce Collected and Saved Data

One of the vital ways GDPR is reworking knowledge assortment and processing is the principle of knowledge minimization, beneath part 5, clause 1(c). In accordance with this principle, all collected private knowledge have to be “adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.”

That is intently related to function limitation, however differs in that it requires the restriction of which knowledge is stored, as well as the info that’s collected. Primarily, so as to be GDPR-compliant, it’s essential to implement knowledge minimization processes and rules at each stage of the info lifecycle-from collection to processing, storing, and use. At each level within the course of, you ought to be asking yourself: Do we actually need this knowledge? If the reply is not any, it is best to delete the knowledge. This course of ought to be documented with a provable audit trail.

Additionally, knowledge minimization means you want to take into consideration how lengthy you plan to retailer personal knowledge for. For example, in the event you need knowledge for a undertaking that may last seven weeks, you should delete that knowledge when the challenge is finished, and the info is not mandatory. Presently, it’s a standard apply to carry on to any and all private knowledge in case it might be useful down the street. Be warned: this won’t be compliant with GDPR.

As a way to stay compliant with GDPR, ask yourself the next questions when amassing knowledge:

  • How will I exploit private knowledge?
  • Can I obtain my aim with out accumulating personal knowledge?
  • How lengthy will I have to maintain personal knowledge to realize my aim?

How MOVEit Can Assist You Comply with GDPR Rules Two and Three

If your small business collects, shops, processes or transmits the private knowledge of EU residents, the Basic Data Safety Regulation (GDPR) will apply to you.  With this much at stake, the perfect apply is to assure that the techniques, consumer authentication, and encryption methods concerned in the transmission of private knowledge are safe and compliant with GDPR. Study more about how MOVEit may also help handle and secure file switch activity across your community.

Principle Four: Personal Data Should Be Accurate

In line with the fourth principle of GDPR, any private knowledge collected or processed have to be “accurate and, where necessary, kept up to date.” Moreover, GDPR mandates that “every reasonable step must be taken to ensure that personal data that are inaccurate,” regarding the purposes for which they are processed, “are erased or rectified without delay.”

So what, exactly, does that imply? In plain English: You’ll be able to’t hold junk knowledge, and it’s your duty to ensure that knowledge is correct and up-to-date. In any other case, you should erase it.

So say for instance you’re working on a political campaign, and you’re using knowledge from the last election cycle. Beneath Precept 4 it might be your duty to make sure that you’re using correct and up-to-date knowledge before mailing out to those constituents.

This touches on both the subject’s proper to rectification and their proper to erasure-both key provisions of GDPR. Beneath the appropriate to rectification, people have the fitting to have incorrect info corrected, and incomplete info completed. Underneath the best to erasure, they could request to have their personal knowledge deleted, and anticipate you to take action in a well timed manner.

GDPR-rights

Principle Five: Restrict Storage of Personal Data

Keep in mind again in Precept Three, how holding on to non-public knowledge simply in case it might be useful down the street, gained’t be compliant with GDPR? Nicely, the writers of that rule appreciated it a lot that they wrote a whole knowledge safety precept based mostly on it: the principle of storage limitation.

In accordance with that precept, private knowledge will not be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.” If personal knowledge is to be saved for longer durations, it have to be proven that the info will “be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.”

Principally, it’s identical to we stated earlier than, you could only maintain personal knowledge as long as you want it for the duty for which it was collected. The helpful life of the info could also be far longer, but chances are you’ll not maintain it on, and reuse for other purposes (or promote it to another person). This may forestall messy scandals like the one at Fb/Cambridge Analytica, and is a elementary proper beneath GDPR.

With a view to comply with this principle, you need a coverage in place that mandates retention durations, and documentation necessities for that policy that may allow you to audit for compliance. You also needs to ceaselessly evaluate the info that you’ve, and erase it when it’s not wanted.

Principle Six: Integrity and Confidentiality

Principle Six of GDPR is likely one of the most essential, and for good reason-it’s all about security.

Principle Six states that knowledge have to be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.”

In plain English: organizations must treat personally identifiable info (PII) in a fashion that is secure from theft, destruction, or unintentional loss. The decision for using “appropriate technical or organizational measures” is just a little fuzzy, and it’s doubtless that GDPR’s writer have been purposefully obscure in mandating safety steps, as these applied sciences and greatest practices are in a continuing state of change.

Without being too specific, the principle however encourages using properly established greatest practices for cybersecurity – issues like encrypting knowledge in transit and at relaxation, utilizing 2FA, and using tamper-evident logging to trace who accesses knowledge.

Principle Seven: Accountability

While precept Six is the one one which explicitly focuses on safety, our ultimate precept focuses on what everyone actually cares about: penalties.

Precept Seven states, succinctly, that “the controller shall be responsible for, and able to demonstrate compliance with [the previous principles].”

In case you fail to show compliance with the previous six rules, the results might be dire- up to 20 million euros, or four% % of worldwide annual turnover, whichever is greater.

And compliance is obligatory for any group that collects, shops or processes the private knowledge of EU residents. It doesn’t matter where your company is headquartered. Even corporations that wouldn’t have a bodily presence in the EU must comply with GDPR.

But what does compliance seem like? How are you imagined to reveal compliance? GDPR doesn’t outline how businesses will show compliance, as a result of that may differ tremendously relying on the kind of enterprise you do, the private knowledge you handle, and the dimensions of your group. However you’ll be able to guess that you simply’d better be prepared for an audit, no matter measurement. Typical greatest practices, comparable to logging of security incidents and access to PII, and inner auditing are beneficial.

What’s extra, it might be advisable to get a danger evaluation of our enterprise, which can enable you to determine any weak factors, and evaluate whether or not or not it is advisable enhance or implement particular security controls.

Create a GDPR Motion Plan

As famous above, if what you are promoting collects, shops, processes or transmits the private knowledge of EU residents, the Common Data Protection Regulation (GDPR) will apply to you.  With this much at stake, one of the best apply is to guarantee that the techniques, consumer authentication, and encryption methods concerned within the transmission of information are secure and compliant with GDPR.

Study more about how MOVEit might help handle and secure file switch activity throughout your network.