Disclaimer: The purpose of this article is to help you understand the GDPR. It should not be considered legal advice that your organization should rely on in an attempt to achieve GDPR compliance. For a complete and accurate interpretation of the law, please consult a legal advisor.

Introduction: What is the GDPR and who does it affect?

The countdown has begun. With the commencement of the EU General Data Protection Regulation (GDPR) only a few months away, companies in Europe are busy trying to figure out all of its articles, recitals and fines and envision and prevent potential repercussions for non-compliance.

The GDPR contains 99 articles, 173 recitals, 260 pages and 4000 amendments.

The GDPR is the central, EU-wide law that is coming into effect on May 25, 2018 and which will harmonize and unify (often inconsistent) data privacy laws across Europe, protect the EU citizens’ private electronic information and enhance their privacy, simplify the regulatory environment within the EU, change the way organizations approach data privacy and give more power to the regulatory bodies to take action against organizations that are in breach.

Contrary to popular belief, the GDPR will not affect only the companies and countries belonging to the European Economic Area (EEA), which includes all EU member states, post-Brexit UK, Iceland, Liechtenstein and Norway. It will also apply to all organizations (both public and private) that are located outside of the EU if they offer goods or services or monitor and process personal data of subjects currently residing in the EU/EEA.

Terminology decoded

Data subject ‒ a person/individual based in the EU and other affected European countries.

Data controller ‒ an organization that collects personal data from EEA residents (e.g. a bank, a phone company, government).

Data processor ‒ an organization that processes personal data on behalf of the data controller (e.g. email archiving company, cloud service provider).

Data Protection Officer ‒ The GDPR explicitly requires certain organizations to appoint a data protection officer (DPO) if they are public authorities, if they conduct large-scale systematic monitoring of individuals or process data related to criminal offenses. Other organizations are not obliged to appoint a DPO. However, they are expected to possess the skills and staff necessary to respond to the GDPR demands. It is estimated that 28,000 DPOs will be appointed in various organizations across Europe to ensure compliance with the GDPR.

Every time you buy a ticket online, check in a hotel or take part in a survey, you provide your personal information. Do you know how this data is used?

Personal Data ‒ What exactly does GDPR consider personal data? The definition (“Any information related to natural person and GDPR data subject that is identified and identifiable”) has been broadened and data is generally regarded as belonging to two groups — Personal Data and Sensitive Personal Data.

Personal data encompasses information such as: data subject’s name, biometric information (e.g. photo), location data (e.g. address), phone number, income and other financial data, and online identifiers such as IP address, cookies, apps, posts on social media sites, RFID tags. Online identifiers can leave traces which can be combined with other info and be used to create profiles of data subjects.

Sensitive personal data includes (but is not limited to) the following: health, genetic, socio-economic, cultural profile (racial, ethnic and religious info), sexual orientation etc.

Online identifiers are considered personal data because they leave traces which can be combined to create customers’ profiles.

Pseudonymization & Encryption are processes which transform personal data in a way that it can’t be associated with a specific individual. Encryption entails techniques that make sensitive data unintelligible and undecipherable without a decryption key. GDPR mandates that all personal data be encrypted.

Important provisions & rights given to citizens

Consent demanded from data subjects to have their personal data processed must be asked explicitly, in plain, understandable language. An individual is granted the right to withdraw previously given consent at any time.

Right of access

Data subjects are given the right to access their personal data and obtain information from data controllers on details of data processing such as

whether their data is being processed, what the purpose of processing is, who the processed data is shared with and how the data was originally acquired.

Data Portability

A person should be able to transfer their personal data from one data processor to another.

Right to Be Forgotten (Right to Erasure)

In case there is no legitimate reason to preserve a particular EU citizen’s data, they can withdraw consent and demand that their private information no longer be processed and request permanent deletion.

Privacy by Design

Companies processing personal data will need to design policies, implement technical data protection measures and consider the ethical aspects of their data collection process.

Breach Notification

A data security breach is an accidental or deliberate unauthorized access, destruction, loss or disclosure of personal data. GDPR mandates measures that need to be taken to address data breaches — notify authorities within 72 hours after the discovery of the breach. Data processors are also required to inform their customers of the breach. Data subjects have the right to know that their personal data has been hacked.

What are the penalties for non-compliance?

Although the majority of sources focus on the 4% of annual global turnover fine (or €20 million, whichever is higher), it needs to be clear that this is only the maximum fine that will be imposed on organizations responsible for the most serious infringements. There will be a tiered approach to fines. Here’s the list of some of the sanctions that organizations might face:

a written warning in cases of first or unintentional instance of non-compliance

in cases of first or unintentional instance of non-compliance regular audits conducted by relevant authorities

conducted by relevant authorities a €10 million (or 2% of the annual global turnover, whichever is higher) fine for not having their records in order or not notifying the data subject and relevant authorities about a data breach

fine for not having their records in order or not notifying the data subject and relevant authorities about a data breach a €20 million (or 4% of the annual global turnover, whichever is higher) fine for violating some of the essential principles of the regulation such as collecting citizens’ private data without explicit consent.

The aftermath of such sanctions can result in loss of customer confidence, bad reputation and negative press. The sanctions apply to both data controllers and data processors, which means that cloud services providers, for example, won’t be exempt from the GDPR.

The maximum fine for non-compliance with the GDPR is 4% of annual global turnover or €20 million, whichever is higher.

What does this mean for your organization?

Organizational changes

First and foremost, be prepared for a profound transformation in how your business uses, retains and manages communications data. Hopefully, you have already mapped out a plan, assessed your current policies and procedures and educated all your employees on the importance and potential consequences of the GDPR. Consider the need to appoint a Data Protection Officer and remember that this position will need to be filled if you collect and process data on a large scale. Even if it turns out you don’t need a DPO, choosing to take on a compliance officer will certainly prove worthwhile in the long run.

Technology

To meet GDPR requirements, your organization will need to know exactly where private data is stored. In the majority of companies, such data is scattered across servers and employee mailboxes. Consequently, the first technological step to compliance is to re-examine your current infrastructure. Remember that email, social media and instant messaging exchanges are especially prone to GDPR violations since they are used for sharing personal information and remain the main targets of cyber criminals.

Implementing an archiving or data governance solution combined with a well-planned and executed organizational strategy will help your organization stay in compliance with this new and demanding regulation. An information archiving solution would enable your company to house private data in a single, safe and tamper-proof repository which would be put under the control of specific individuals (the administrator and data protection officers). The unparalleled search and information retrieval capabilities of such archives would allow you to locate, fetch and delete data upon request, as well as ensure fast and effective eDiscovery response and prevent data from leaking.

Finally, in order to make sure that the transition is as smooth as possible, remember to take a proactive approach to compliance, hire experts and work on GDPR diligently before it comes into full effect in May. Good luck!