After a long debate and many months of preparation, “The EU, General Data Protection Regulation” (GDPR) has finally replaced the Data Protection Directive 95/46/EC. GDPR is designed to serve one primary objective “synchronize data privacy laws across Europe, while making it easier for EU citizens to know how their data is being used, and also raise any objection, even if they are not in the country where it is located.” Due to this major change in guidelines and laws defining Data Protection, almost all organizations will have to reevaluate the way they view Data Privacy. And it makes sense to replace Data Protection directive which was established in 1995, with GDPR that aims at protecting EU citizens from privacy and data breaches in an increasingly data-driven world. Here it is important to note that the key guidelines of previous directive are still valid, although many changes have been proposed to the regulatory policies; the major points of the GDPR as well as information on the impact it will have on businesses globally are summed up below:
A- Highly enhanced territorial scope (extra-territorial applicability)
GDPR has an unlimited jurisdiction of influence, because it applies to all companies processing the personal data of data subjects residing within European Union, and this has nothing to do with the company’s location.
Now this is quite an amount! Organizations found guilty of breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).
Companies can no longer trick the customers, What? Yes they cannot! Because according to one of the Guidelines in GDPR the terms and conditions need to be concise and easily comprehensible. Not only this, Consent needs to be clear and discernible from other matters, offered via an easily accessible form using simple and direct language. Moreover, it must be as easy to opt-out as it is to opt-in.
Then there is the major one where organizations need to invest time and technology in order to facilitate the process in accordance with GDPR directive. And what is that? EU citizens now have exclusive Data Subject Rights. And this makes them more powerful and no company can downplay their request for explanation, if the customer feels his/her data has been misused or breached the confidentiality parameters as defined under GDPR.
1- Breach Notification
In case of data breach, Data Processors – automated or manual – ought to notify the respective customer/s and controllers, without any impediment. At most within 72 hours from knowing of an incident relating to potential data breach
2- Right to Access
GDPR empowers data subjects with the right to know from the data controller where, how and for what is their data being processed; and if at all it is being processed. In addition to this, the data controller is supposed to send a copy of personal data in electronic format to the concerned Data subject. This is a free of charge service request for the Data Subject.
3- Right to be Forgotten
This guideline entitles Data subject to get his/her personal data erased from all systems including third parties that may be involved. This request by Data subject tantamounts to withdrawal of CONSENT by the Data subject.
4- Data Portability
Now the Data subject can choose to change the Data controller anytime and transmit his/her personal data to new controller in generally legible and machine readable format.
5- Privacy by Design
This is what I call “Old wine in new bottle!” Under GDPR, Privacy by Design focuses on setting up data protection components/environment within a system, from day one and is not to be addressed at a later or last stage, as an add-on component. Also this means the Data Controller is supposed to process only limited data necessary for the completion of his/her tasks and at the same time limit the access to personal data to others who need access to data for processing requests/tasks related with their role.
6- Data Protection Officers
This one is little tricky. As of now, it is Data Controller’s responsibility to notify his/her data processing activity log with DPAs. In order to make the process simpler the company is required to maintain internal records, whereas organizations, where controllers and processors deal in large scale monitoring of Data Subjects or particular categories of data or data relating to criminal convictions and offences etc. it is mandatory to appoint a dedicated DPO and there are specific guidelines when it comes to the appointment of DPO. Any deviation from these guidelines will be considered a breach of GDPR directive.
GDPR has already triggered a flurry of activities in the Tech World. Recently Facebook moved close to 1.5 billion users out of reach of European Privacy Law, simply by relocating its Ireland based HQ to its main offices in California. Brilliant idea, because now all these Facebook users will be using a site governed by US law and not by Irish law which is a part of EU.
But, can US businesses hide from GDPR? According to Forbes the answer is No!
Many businesses have this wrong impression that since they are not operating from the EU, they are not necessarily to comply with GDPR. But think again. The regulation will influence firms whether operating within or outside of the EU. Hard reality being, any company dealing with EU businesses’, residents’, or citizens’ data will have to fulfill all guidelines outlined in GDPR. This means, even if a company does not have a European presence, it will still bear legal liability under GDPR merely by processing an EU resident’s personal data. As simple as that!
At HireHere we are working towards GDPR compliance and we are committed to offering highest Data Protection Standards as may be necessary in our existing technology ecosystem that was built from day one keeping Data Privacy and its role based classification in mind.