Author Archives: GDPR News

What is the Difference Between a Controller and a Processor in GDPR?

Posted by GDPR News

The General Data Protection Regulation (GDPR) makes frequent reference to GDPR data controllers and GDPR data processors, but what is the difference between a controller and a processor under the GDPR?

When the GDPR comes into effect on May 25, 2018, both data controllers and data processors will have specific duties which they must fulfill. Under the existing regulations, data processors do not have statutory responsibilities. This will change with the GDPR’s introduction. As a result, organizations will need to ensure that they are aware of whether they will be classified as data controllers or data processors. If they are unsure, they run the risk of failing to comply with the strict standards and criteria expected of them under the new law. They should also know where they stand in order to implement the necessary data protections and procedures, if applicable.

GDPR Data Controllers

The GDPR has kept the categorization of data controllers and data processors the same as it appears in the existing legislation. A data controller decides, either alone or in concert with other groups, what types of data are to be collected and how they should be processed. They have a number of important obligations under the law. Numerous distinctions exist between data controllers and data processors. Let us take, for example, a company processing payroll data: the company itself would be classified as a data processor whereas that company’s customers would be data controllers.

GDPR Data Controllers’ Responsibilities

Data controllers are responsible for, and must be able to show that, the data processing actions they use do not violate GDPR standards, in accordance with the accountability principle of Article 5. This part of the law states, among other things, that data must be “processed lawfully, fairly and in a transparent manner”.

Article 5 goes on to state that use of the data must be strictly limited to “specified, explicit and legitimate purposes”; that only the minimum data needed for the purpose will be processed; and that reasonable steps must be taken to ensure the data is accurate and up-to-date. Data controllers are also responsible for the confidentiality of the data. Compliance with these rules can be strengthened through introducing a code of conduct, which processors must abide by.

It is important that controllers put such codes of conduct and rules into place at the very beginning of their activities, following a concept called privacy by design. Once these are implemented, they can help to ensure the correct technical and organizational procedures are respected, an area where the controller is also responsible. This will help establish norms such that only the minimum amount of data is processed, in a secure manner, as a matter of course.

The GDPR further expands on this approach in Article 25, data protection by design and by default. This Article calls for the data controller to introduce “appropriate technical and organisational measures” to:

– Implement data-protection principles, such as data minimization

– Ensure that, by default, only the data necessary for each specific purpose is processed and stored

– Keep the period of the data storage to a minimum

– Ensure access to data is strictly limited to only those who require it

Data controllers should also designate the responsible parties for data protection, impact assessments, risk reduction, data protection, and data minimization.

GDPR Data Processors

Contrary to controllers, data processors are public entities or agencies that store or process data for controllers. As they play a central role by processing data, it is of the utmost importance that they are only selected after a careful review process – indeed, the GDPR requires that due diligence research be carried out when choosing a data processor – and that strict agreements be put in place to ensure that processors fulfill the requirements imposed upon them by data controllers and regulatory bodies.

GDPR Data Processors’  Responsibilities

In certain cases, data processors will be required to designate a Data Protection Officer (DPO). This  concerns both processors and controllers and should be done when systematic processing of large amounts of data is conducted or when data related to criminal and legal records is processed.

Processors cannot make use of the services of sub-processors without first receiving written permission to do so and contractually binding the subcontractor to the same standards dictated to them by authorities and data controllers. Any sub-contractor used must meet GDPR standards and must comply with the established procedures before transferring any data to a non-EU country. The processor must answer for any error committed by the sub-contractor.

A key element in ensuring compliance with the GDPR will be the close collaboration of processors and controllers while conducting impact assessments. Processors must be able to answer any questions or objections posed to them. Importantly, they must be able to satisfy data subjects who choose to use their “right to be forgotten”, who request a copy of their data, or who object to the use of their data.

The post What is the Difference Between a Controller and a Processor in GDPR? appeared first on HIPAA Journal.

Overview of GDPR Article 35

Posted by GDPR News

The General Data Protection Regulation (GDPR) is a highly complex piece of legislation, but entities should pay particular attention to ensure they have a clear overview of Article 35 and understand how their activities may create risks for individuals, as well as for themselves.

The GDPR is a wide-ranging European privacy law, governing and protecting the data of people living in the EU. It will come into effect on May 25, 2018. Article 35, Data protection impact assessment, is the first Article in Section 3, Data protection impact assessment and prior consultation.

As certain data processing activities use novel techniques or include the processing of more sensitive data, they may present a high risk to data subjects – the people the data refers to. Article 35 describes when and how a data controller should carry out a data protection impact assessment in order to identify and minimize or address these risks.

What Type of Data Requires an Assessment?

The processing of certain data types will always require a data protection impact assessment prior to any processing being executed. Article 35 notes that large scale automated processing of “personal aspects relating to natural persons” will require an impact assessment if the results of the processing “produce legal effects concerning the natural person or similarly significantly affect the natural person”. Importantly for many organizations, the Article clearly states that this includes automated profiling processing. Some have raised the question of whether this means offering discounts to certain customer profiles – which could constitute a legal effect – would require an assessment.

Other data that is specified in the Article is the large scale processing of “personal data relating to criminal convictions and offences” and  – through referral to Article 9 – “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”.

More broadly, Article 35 requires impact assessments for “systematic monitoring of a publicly accessible area on a large scale”. This could mean monitoring footfall on the street outside of a retail location or car traffic in a publicly accessible car park or road would require an assessment.

What Must be Included in a Data Protection Impact Assessment?

Should the organization include a data protection officer, they must be involved and consulted during the impact assessment. There are four main pillars that must be addressed in the assessment:

1. A description of how the processing will be carried out as well as the purpose of the processing.

2. A report of the “necessity and proportionality” of the processing compared to the intended outcome e.g. if you are processing web traffic by browser and money spent with the goal of ensuring website optimization for higher paying customers, then processing the physical orIP location of these customers might not be necessary or proportional to your stated goal.

3. An in-depth assessment of the risks that processing the data may create for the data subjects. For example, could your browser/spending study data increase the risk of these customers or browsers being targeted by viruses or malware?

4. The security measures that will be put in place to reduce or address the identified risks.

Best Practices for Compliance

There are some steps that organizations can take to help them to comply with the GDPR standards, such as:

– Auditing data in order to identify what types of data are being stored, how they are being stored, and how they are being processed. An employee should be appointed to manage and take responsibility for processing activities.

– We mentioned above that certain data is more sensitive than others. Different assessment procedures will work better in identifying the risks for different types of data. Determining the optimum procedure prior to commencing the assessment will ensure a more robust result.

– Explore certification or approved codes of conduct. Article 35 states that “compliance with approved codes of conduct referred to in Article 40 by the relevant controllers or processors shall be taken into due account in assessing the impact of the processing operations”.

These three steps can increase the relevance and efficiency of the assessment process, saving time and money while facilitating compliance.

The post Overview of GDPR Article 35 appeared first on HIPAA Journal.

GDPR Password Requirements

Posted by GDPR News

The European General Data Protection Regulation (GDPR) will take effect from May 25, 2018 and will naturally involve GDPR password requirements. The regulation deals with how to safeguard and appropriately process the personal data of people living in the European Union (EU). An important aspect of data and account protection is the system that is being used to access the data – with a critical component of this being whether passwords are part of the access requirements and how passwords can be stored or reset.

While the word “password” itself does not appear anywhere in the text of the GDPR, Regulation (EU) 2016/679, it is stated that “a high level of protection of personal data” must be ensured and that safeguards must be in place “to prevent abuse or unlawful access or transfer”. The law also states that “personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data”.

The law frequently refers to “appropriate safeguards”, “appropriate security”, and “appropriate measures”. This gives entities a certain level of freedom in what approach they take to protect the data. It also acts to somewhat “future-proof” the legislation, by avoiding naming certain technologies or practices which may become obsolete as technology progresses.

One of the sections of the law remarks that “measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected”. This is probably the “in a nutshell” version of the GDPR’s security requirements.

Importantly for our purposes, the use of passwords is not prohibited by this approach, nor are there any specific requirements mentioned e.g. minimum lengths, capital letters, numbers, maximum periods of validity/required change frequency. With the right support systems in place, passwords can be argued to ensure security and confidentiality, while remaining feasible in terms of cost and technology. What support systems would be required for this to be the case?

As we mentioned above, how passwords are stored and reset is a critical aspect of GDPR compliance. Clients and staff members may legitimately forget or need to reset passwords for a number of reasons. GDPR requirements mean that companies must be able to demonstrate that their password reset processes and procedures are secure. Systems must be in place, for example, to prevent help desk employees that may be involved in resets from directly accessing passwords.

Perhaps the optimum way to ensure this is through the use of a secure “self-service” reset system. These systems can make use of two- or multi-factor authentication to check that the person requesting the reset is the legitimate owner of the account. A common method to implement this for online services is to transmit an automatically generated reset code to the telephone number associated with the individual account name. If used within a certain period of time, this then opens a temporary window when a password reset may occur using the account name or email address.

Other “external” factors which can be used alongside the user’s identification to securely reset a password may be voice recognition, fingerprints, or smart-cards. If the person requesting the reset can show they have two or more specific elements –  such as knowledge, a possession, or something inherent to the user and only the user – that only the account holder should have, then the password reset mechanism can be triggered.

In our example above, these specific elements would be the account name/email address and access to the user’s pre-registered telephone. While there is a risk of a third party gaining both knowledge of the account name/email address and possession of the legitimate user’s telephone, it can be considered to be low enough (for now) that this form of password reset can be reasoned to be quite secure. The temporary nature of the reset code and reset window add to the security. As extra layers or factors are added, the safety of the account is increased.

How passwords are stored is not directly addressed. The previously quoted sections relating to appropriate measures still apply. It is also mentioned that “in order to maintain security and to prevent processing in infringement of [the GDPR], the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption”.  From this, we can infer that passwords used to access data should be stored to standards that are comparable to storing them as encrypted data, at a minimum.

Should your organisation choose to use passwords as a security measure for data protected by GDPR, we advise the use of multi-factor authentication for identification and password resets, as well as encrypted storage of data and passwords.

The post GDPR Password Requirements appeared first on HIPAA Journal.

What Countries are Affected by the GDPR?

Posted by GDPR News

What Countries are Affected by the GDPR is a common GDPR question. The General Data Protection Regulation (GDPR) is a European Union (EU) Regulation that was accepted on April 27, 2016. The GDPR will come into force on May 25, 2018. While it is a piece of  EU legislation, even institutions located outside of the EU must be aware of its implications and be on their guard to avoid violating it. The physical location of the organization does not exempt or shield it from facing the consequences of non-compliance.

Institutions that have offices in an EU country or that process the personal data of anyone located within an EU country are obliged to follow the GDPR. As businesses and other organizations often have an international focus and reach, it is quite probable that your entity will be required to comply with the GDPR – especially if it is an entity that operates or offers services via the internet.

Main Countries Concerned by the GDPR

As mentioned above, the physical location of the group is not as important in determining the need to comply with the GDPR as the physical location of the data subject – the person whose data is being stored or processed. We have stated already that most groups will find themselves subject to or impacted by the GDPR. Having said that, organizations located within the EU will likely see their practices change to a greater extent. Logically, they are more likely to process a larger amount of data belonging to individuals located in the EU. Organizations in the following countries, the EU member states, will probably be most concerned by the GDPR:

  • Austria
  • Belgium
  • Bulgaria
  • Croatia
  • Republic of Cyprus
  • Czech Republic
  • Denmark
  • Estonia
  • Finland
  • France
  • Germany
  • Greece
  • Hungary
  • Ireland
  • Italy
  • Latvia
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • United Kingdom

Even with the uncertainty following Brexit and the United Kingdom’s (UK) future legal status regarding EU laws, for now it remains an EU state. This means that the GDPR will become part of UK law and will remain so until such a time as it is changed by the British government. Accepted EU laws will not just stop applying to the UK once they have left the EU.

How the GDPR Will Affect Non-EU Nations

The GDPR will have a global impact even with the relatively small and localized nature of the EU itself. Despite EU countries being more likely to see the most change, non-EU countries are likely to see greater disruption following the introduction of the GDPR. This is due to the fact that organizations located within the EU are more likely to be prepared for the changes as they as more likely to be aware of the introduction of the GDPR. A large number of organizations located outside of the EU are still unaware of the coming change or are of the opinion that they are exempt or will be unaffected.

There is also a sociological difference at play: non-EU societies such as the United States (US) and others do not have the same expectation of privacy as many EU societies. Privacy laws are in place for certain types of “sensitive” data, such as the Health Insurance Portability and Accountability Act (HIPAA), which regulates healthcare information; or the Gramm-Leach-Bliley Act, which concerns financial information; but “general” data does not enjoy the same protections. This may place US entities at a disadvantage as they may need to have several procedures in place to correctly handle personal information depending on whether it originates from the EU or the US.

The need to implement, staff, and run parallel systems may introduce too much complexity and drive costs too high for US based organizations to continue offering their services to the EU market. A potential strategy may be for US based actors to adopt an “all or nothing” approach that protects “general” data in a way currently reserved for “sensitive” data. This may allow the same system to be used to comply with both HIPAA, for example, and the GDPR. As of now, it is unclear whether many US groups will attempt this strategy.

Transferring Data Outside of the EU

The GDPR places strict controls on data transferred to non-EU countries or international organizations. These are detailed in Chapter V of the Regulation. Data is allowed to be transferred only when the EU Commission has deemed that the transfer destination “ensures an adequate level of protection”.

Data transfers can also occur in situations where the receiving entity can demonstrate that they meet this “adequate level of protection”, subject to periodic review every four years. The necessary protections may include:

– Commission approved data protection clauses

– Legally binding agreements between public authorities

– Commission approved certification

– Binding corporate rules that are enforced across different entities within the same corporate group

The transfer of data is strictly regulated so as to offer each individual in the EU the same protections and rights under EU law regardless of the location of data storage or processing.

What Does GDPR Mean for Me?

Above, we have seen a brief description of the data concerned by the GDPR – personal data of an individual located within the EU. We have also touched upon who is affected and how groups in some non-EU countries may approach GDPR compliance in an efficient manner. Now, we will outline why compliance is important: the maximum fine for violating the GDPR can be as high as €20 million, or 4% of annual turnover, whichever is higher. Compliance is, therefore, a very important issue.

While some groups will need to adapt their methods of processing data to be GDPR compliant, a common EU legislation will make it easier to deal with data originating from different EU countries.

With the introduction of the GDPR fast upon us, groups must use the time they have left to ensure they will be compliant on May 25. They will need to audit their data and verify that the methods of collecting, processing, and storage – as well as the nature of the data itself – are GDPR compliant.

If the necessary systems are not in place by May 25, organizations run the risk of non-compliance, sanctions, and losing business from their European partners.

The post What Countries are Affected by the GDPR? appeared first on HIPAA Journal.

“To-do list” for GDPR Compliance

Posted by GDPR News

The goal of this short piece is to provide a checklist for companies or businesses who are concerned with GDPR compliance. This list should permit such entities to take initial steps in order to comply with GDPR. Please note that this is not intended to be a comprehensive guide, more so a few “rules of thumb” to take into account in order to get started.

Preparing for GDPR

Although the impact of the General Data Protection Regulation (GDPR) has been largely known since it was agreed upon in 2016, it seems that few organisations are ready for it. According to ‘Spice Works’, just one year before the implementation date of the 25th May 2018, only 2% of Information Technology professionals surveyed throughout the European Union believed that their company or business was properly prepared for GDPR. A similar figure applied to IT professionals in the USA, and the figure for their UK counterparts was only marginally higher, at 5%. Simply put, this statistic is a cause for concern given that correct compliance is a necessity for companies which wish to avoid fines and other penalties.

In order to comply with the GDPR, companies should begin by ensuring that the following actions are taken:

Inform yourself about the GDPR

The majority of business people possess some knowledge about the GDPR. The most obvious thing about the GDPR is that it will replace the Data Protective Directive (DPD). The difference between an EU Regulation and an EU directive means that the new law should improve the level of uniformity concerning how personal data is managed across the entire European Union.

Under the GDPR, individuals will possess greater control over how their personal data is to be used. This is applicable to every person who resides within one of the member states of the European Union. They retain the right to access the data, the right to have data corrected in case of data together with the right to have the data erased (save for a small number of specific circumstances). It is important to note that companies throughout the entire world will be impacted by GDPR, and not only those based within the EU. Any organisation which processes the personal data of individuals who live in a European Union member state are obliged to respect the new regulation.

Companies must ensure that their employees are briefed on this information, and receive training on how the GDPR functions and its impact on the way the company will henceforth deal with data.

Perform an audit of stored data

As soon a company is aware of what is needed in order to comply with the GDPR, it must carry out an audit of the personal data that it presently holds. It should take the following into account:

  • What type of data is held?
  • In what location is the data held?
  • Who is in charge of managing the data?
  • For what purpose is the data used?
  • Is retention of the data still necessary?

Perhaps the key thing to consider is whether or not it is at all necessary to still retain the data. The GDPR states that data should be used only for the purpose it was originally obtained for. Should that purpose no longer exist, the data should be deleted or destroyed, save in circumstances where there is a legally sound reason to retain it. As a general rule, it is worth noting that the less data any particular company holds, the less significant the impact of any data breach or misuse is likely to be.

Pinpoint risks

Any high risk data or activities should be identified. In order to do so, it is advisable that Data Protection Impact Assessments (DPIAs) be used. As soon as risks have been identified, steps to mitigate against them need to be taken. If, on the available evidence, it seems as that mitigation is impossible, a the relevant Data Protection Authority (DPA) should be consulted in order to discuss how to best keep and process the data. This type of discussion, is should be noted, is anticipated to be relatively rare. That said, if circumstances arise whereby it appears that no mitigation is possible, a company is obliged to contact the authority to discuss the issue in order to be compliant with the GDPR.

Put GDPR compliance policies and procedures in place

Any company which wishes to comply with the GDPR needs to be able to answer the following:

  • What type of data is held?
  • In what location is the data held?
  • Who is in charge of managing the data?
  • For what purpose is the data used?
  • Is the data still relevant and is retention of it still necessary?
  • What security measures are is place to protect the data?
  • Can the data be accessed and furnished to the individual concerned should they make a System Access Request (SAR)?

Significantly, every company must also be able to demonstrate that is possesses all of this knowledge. In order to do so it is essential processes and procedures be put in place.

Keep a record of all compliance processes

As noted above, companies are required to demonstrate that they are GDPR compliant. For this reason it is essential to accurately document each process and procedure. A company which is revealed to be non compliant may be faced with a fine of up to €20 million, or 4% of its annual turnover (whichever is greater). In all probability the DPA will initially concentrate on addressing issues with companies which are obviously non-compliant, it is still extremely important for every company to have its own processes, procedures and documentation in place.

Prepare for the risk of data breaches

As soon as the GDPR has been introduced, it will become obligatory for every data breach to be reported to the relevant authority within 72 hours. It is for this reason that it is essential that each company has its own procedures in place for dealing with data breaches if and when they occur. Aside from failing to comply with the GDPR and therefore exposing the company to a costly fine, a lack of contingency plans might also lead to a damaged reputation. This could prove to be even more costly in the long term, should it have a significant impact on custom.

Employ an in-house Data Protection Officer (DPO)

Following activation of the GDPR, any business or organisation which monitors the personal data of individuals (including IP addresses) on a significant scale will be obliged to engage the services of a DPO, in either an internal capacity or by means of an external provider. This also applies where companies process voluminous amounts of special category data, e.g. genetic data or criminal information. Public bodies which deal with the personal data of individuals will also need to have a DPO in place.

It is very probable that, initially, there will be a lack of qualified Data Protection Officers available. That said, there is no clear definition of what qualifications a DPO is required to hold. What is necessary, however, is that a DPO be fully acquainted with what the GDPR covers, and its impact upon the business. Furthermore, they must be able to initiate and oversee the running of data protection systems and processes. It is feasible for a company to internally recruit an existing staff member as its DPO provided that they possess the skill set required, and have received sufficient training in every aspect of the GDPR.

Development of monitoring and reporting processes

As soon as it has ensured that GDPR compliance systems are in place, a company must also develop processes of monitoring and performance. This is so that, firstly, each company is capable of checking at any time that its processes are functioning and fully GDPR compliant. And, secondly, because every company must be able to demonstrate that it is compliant in the event that it be audited by the relevant Data Protection Authority. A company can demonstrate that it is compliant only if everything it does concerning data management and protection is accurately documented. Furthermore, it will need to be able to show that a functional checking regime is in place.

The importance of being prepared

As noted above DPAs will be able to impose a variety of fines for non-compliance with the GDPR. The precise amount of the various fines, aside from the maximum in each category, remains undefined. It appears that DPAs will have some flexibility when it comes to making decisions about this matter. The imposition of other sanctions will also be subject to a certain amount of leeway. What those other available sanctions will be has not yet been defined.

Despite the fact that DPAs will possess some leeway in their imposition of sanctions and fines, it is anticipated that they will discuss these questions with each other so that a level of uniformity is achieved.

Step one for any company should be to make itself aware of the scope of the GDPR. A large number of companies which operate worldwide appear to think that the GDPR does not affect them in any way. If, however, they have any role in the processing of the data of people who live within the European Union, they might be in for quite a shock. This does not only apply to data that has been received directly from the subject; it could also apply to data that was received from a 3rd party. Being informed about the GDPR, and its consequences for them, is a company’s essential first step on the way to compliance.

After that initial step has been taken, it is then a matter of assessing present data and practices, and ensuring that any data being held is being done so in compliance with the GDPR. Companies must also enact processes and procedures in order to ensure that continuing data collection and management is GDPR compliant. The management of data must also be monitored and reported on. Risks must be identified and mitigated against. While companies should do everything within their capabilities to guarantee the security of data, they should also be ready to report any breaches of data within 72 hours of occurrence. In order to avoid the potential penalties under the GDPR and to protect their good reputations, companies should ensure that all of the above is in place by the 25th May 2018.

The post “To-do list” for GDPR Compliance appeared first on HIPAA Journal.

Understanding GDPR Compliance

Posted by GDPR News

What does ‘GDPR Compliance’ mean?

GDPR compliance is due to become obligatory for every business or organisation, or company which gathers, stores or utilises the personal data of citizens throughout the European Union in May 2018. The application of the General Data Protection Regulation (GDPR) together with the need for GDPR compliance that will follow, will significantly impact the manner in which data protection is dealt with throughout Europe.

In order to respond to the question “What does ‘GDPR Compliance’ mean?”, it is necessary to explain, to those who may be unfamiliar with the terms, what the difference between a European Union Directive and a European Union Regulation is; an EU Directive is a general set of guidelines on which EU member states may base their own domestic laws around (with some flexibility as to the precise terms), whereas an EU Regulation is legislation that applies throughout the entire European Union, meaning that all member nations are obliged to comply with Regulations and they are enforceable by law.

The General Data Protection Regulation (GDPR) is, as its name would suggest, an EU Regulation. The 1995 EU Data Protection Directive will be replaced by the GDPR which serves to create standard data protection laws across the EU. Businesses and companies that operate in numerous EU member states will now be obliged to work within a uniform set of rules which resolve issues that were impossible to foresee when the 1995 Directive was drafted, e.g. data processing in context of “cloud” technology.

Essential Aspects of the New Data Protection Rules under GDPR

The GDPR data protection rules comprise a precise clarification of what is legally recognised as personal data, the rights of citizens to be informed as to how their personal data is used, what personal data can be gathered, and how each individual´s informed consent must be obtained in order to collect, maintain or use that personal data.

The new definition of “personal data” will impact every organisation or company that employs cookies on their websites. The GDPR data protection rules recognise “online identifiers”, including pseudonymous identifiers, as personal data. Furthermore, identifiers now considered to be personal data include race or ethnicity, religion or lack thereof, together with genetic or biometric data.

Those who review their GDPR compliance procedures are advised to keep records of the manner in which they obtain individuals’ informed consent. An individual must give consent via a recordable affirmative action if their personal data is be gathered, stored or used. Each person must be informed prior to giving consent what the data is intended to be used for and they must also be made aware of their right to later withdraw consent.

The Rights of Individuals and GDPR Compliance

Any body which collects, maintains or uses an individual´s personal data but neglects to first acquire the informed consent of those persons, or does not delete destroy their record of the data concerned after an individual has withdrawn their consent – breaches the GDPR. There are numerous other rights of individuals that must be taken into account by companies or organisation when they review their GDPR compliance. These rights of individuals include:

  • The right to view or consult stored personal data.
  • The right to amend any errors in their personal data.
  • The right to be informed as to how personal data will be used.
  • The right to be informed as to how long their personal data will be stored.
  • The right to be informed who their personal data is being shared with.
  • The right “to be forgotten”, i.e. to have any stored personal data permanently deleted.
  • The right to be informed as to the source of their personal data in circumstances where informed consent was not in fact given.

N.B. This is not an exhaustive list!

Businesses and companies will need to review their data gathering, storage and processing mechanisms to guarantee that personal data can be isolated, extracted and permanently deleted when required in order to comply with the GDPR rules for the rights of individuals. Methods of verifying the identity of individuals who wish to exercise their GDPR rights will also have to be put into action.

Data Protection Officers and Ensuring Compliance with GDPR

Included in the GDPR data protection rules are a number of measures which must be taken in order to ensure GDPR compliance. Simply put, the “accountancy principle”must be complied with; i.e. companies or organisations must provide transparent privacy policies, and carry out GDPR data protection impact evaluations to identify any potential risks to the security of personal data.

The implementation of procedures to rectify any risks to the integrity of personal data and the application of comprehensive governance measures to guarantee that those procedures are adhered to will be required. Depending on circumstances, it may be necessary to carry out GDPR compliance training and large businesses or companies might have to appoint a Data Protection Officer.

A Data Protection Officer’s role is to act as a counsellor and to monitor GDPR compliance. The officer will be in charge of managing internal data protection activities, offering advice on GDPR data protection impact evaluations, the training of staff and carrying out internal audits. Furthermore, the Data Protection Officer will be the first point of reference for Data Protection Authorities (discussed in detail below) and those individuals who may wish to exercise their GDPR rights.

European Union Penalties following GDPR Non-Compliance

The majority of European Union member states already have their own Data Protection Authorities in place. Their duty is to ensure that national data protection laws are complied with and, where there has been failures to do so, to impose penalties for unauthorized use of personal data. Following the introduction of the GDPR, these Data Protection Authorities will have the power to conduct GDPR compliance audits and impose penalties for any non-compliance found. This will even include circumstances where a breach of personal data has not in fact occurred.

Non-compliance with GDPR attracts a wide variety of penalties depending upon the type of violation, the number or size of records disclosed without authorization, and the action taken by the body in question in order to minimize the breach of personal data. Maximum penalties (which can in fact include accidental disclosure) for GDPR non-compliance are considerable:

  • Non-compliance with GDPR security standards may result in a €10 million or 2% of global annual turnover fine – whichever is greater.
  • Non-compliance with GDPR privacy standards may result in a €20 million or 4% of global annual turnover fine – whichever is greater.

Additional Penalties for Failure to Comply with the GDPR

Additional penalties for lack of GDPR compliance may be imposed in circumstances where a company has failed to notify its Data Protection, Authority within seventy-two hours, of the discovery of any unauthorised exposure of personal data. Moreover, the company may potentially be charged with a criminal offence or offences depending on the national law of the EU state concerned.
If the exposure of personal data has the possible or probable consequences of the individual(s) concerned falling victim to identity theft, fraud, financial loss, discrimination, injury to reputation or other economic or social disadvantage, the breach must also has be notified directly to the individual(s). This may result in a personal compensation law suit being made against the offending organisation.
One exception to the obligation to inform individuals (but not in fact the Data Protection Authorities) exists in circumstances where the exposed personal data had been encrypted, therefore rendering it unusable by the person or persons who gain access to it. In such an event, the Data Protection Officer would have to show to the Data Protection Authority that the data concerned had been kept securely before the breach.

Resume of the GDPR

  • The European Union General Data Protection Regulation (GDPR) will apply from the 25th May 2018 and concerns every company or organisation, inside or outside of the EU, that gathers, stores or maintains the personal data of citizens of European Union member states.
  • Concerning what is defined as “personal data”, any characteristic that could potentially identify or point out an individual is understood to be personal data. Numerous online identifiers such as cookies are included in this definition.
  • An “affirmative action” to give informed consent for the gathering, storage and/or use of personal data must be made by the individuals concerned. The way in which informed consent is given must be recorded and saved by the body which gathers the information.
  • Individuals have wide-ranging rights over how their personal data is gathered, held or used. This includes a right “to be forgotten”. In order to prevent GDPR fraud from occurring, systems must be put in place.
  • Institutions are obliged to implement privacy policies that are clear and transparent. They must also carry out risk assessments and initiate procedures to guarantee the integrity of individuals’ personal data. On occasion employment of a Data Protection Office might be a necessity.
  • A penalty for failing to comply with GDPR may be enforced even when no breach of personal data has in fact happened. The severity of the penalty is dependant on what actions were taken to minimize the unauthorized exposure of the individuals’ personal data.
  • Companies need to inform themselves about the GDPR Breach Notification Rule and the sanctions which may be applied as a consequence of failing to notify the authorities within 72 hours.

Please note that this resume of GDPR is intended to provide a simple overview of the issues discussed within it. Reasonable precautions have been taken in order to ensure that the content is based on the facts that were available at the time of publication. No responsibility for mistakes or omissions in this GDPR summary will be taken by us. Those concerned about GDPR compliance should take legal advice from a professional as soon as possible.

The post Understanding GDPR Compliance appeared first on HIPAA Journal.