The EU’s General Data Protection Regulation (GDPR) is one of the most sweeping regulations affecting data privacy ever enacted. When it comes into full effect on May 25, 2018, companies around the world will have to adjust the way they handle user data or else face severe penalties and fines. This fact sheet will help clarify the major actions that organizations can take to become GDPR-ready as the deadline approaches.
What do companies need to know about GDPR?
Who does GDPR affect?
All companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
What about Brexit?
The government has made it clear that GDPR will still apply in the UK regardless of Brexit.
What counts as personal data?
Any information connected to a “data subject,” which can be used to directly or indirectly identify the person. It could be a name, an email address, bank details, medical information, a computer IP address, and more.
What are the penalties for non-compliance?
For the most serious infringements, organizations could be fined €20m or 4% of global revenue.
What’s the difference between a data controller and a data processor?
A data controller controls how data is used and what it will be used for. A processor processes personal data on behalf of the controller. Both can be liable in case of non-compliance. Data controllers are also responsible for the non-compliance of data processors (like third-party vendors) who obtain data they collected.
What new rights do data subjects have?
There’s a wide range, including the right to access, which means individuals can request to know how their information is being held and processed. Data subjects also have the right to be forgotten, which means people can ask a data controller to erase the information held on them. Requests must also be dealt with within a set time frame.
What is privacy by design?
This concept, which is being implemented into the legislation, means designing systems must include robust data protection from the outset, rather than as an add-on. GDPR also requires data controllers to hold and process only information deemed as absolutely necessary.
What if there’s a breach?
Under GDPR, breach notification will be mandatory where a data breach is likely to result in a risk for the rights and freedoms of individuals. Notification must happen within 72 hours of becoming aware of the breach.
GDPR Checklist: What steps can companies take to become GDPR-ready?
Know your data
Companies can’t comply with GDPR if they don’t know what their risk areas are.
Companies should therefore:
- Find out what data they hold, where it’s coming from, how they use it, and whom they are sharing it with.
- Create a data map of their organization and learn how data flows through it and the supply chain.
Identify the spend categories that provide the biggest GDPR risks and identify which contracts GDPR applies to. Companies will need to go contract-by-contract rather than supplier-by-supplier.
Companies should work with their legal team to ensure all relevant contracts include protection against GDPR-related risk and categorize their suppliers accordingly.
Know your vendors
Companies should make sure they have a supplier selection process, which includes categorizing their vendors.
Companies must vet their vendors that have access to user data and handle their client/personal data to make sure they have appropriate technical and organizational measures in place.
Companies should also check internal systems to ensure that processes are in place to enable the organization to satisfy the 72-hour breach notification requirement.
This is not a one-time event. Companies need to think about ongoing contract management, which means assessing their vendors.
Rehearse your response
Under GDPR, data subjects will have the ability to request their information and have the right to be forgotten.
These requests must be dealt with within a month.
Since it’s a challenge to respond within that time frame while managing a complex supply chain, companies should hold drills to make sure they are equipped for this.
Every company, whether large or small, is dealing with GDPR. But the lack of case law or history means everyone tries to comply in their own way.
Companies an eye on what their peers and competitors are doing, and consider collaborating on good practices.
It’s no good having the right strategy in place if your employees aren’t aware of changes to how you manage data. Make sure anyone who deals with suppliers and data (such as contract managers or supplier relationship managers) is aware of the new rules and their responsibilities.