There has been a lot of buzz recently about the new General Data Protection Regulation (GDPR), which takes effect on May 25, 2018, officially replacing the Data Protection Directive from 1995.
If you market to, process, transmit or store information of European Union (EU) data subjects – including employees, customers and end users – you will need to adjust your organization’s data management to align with the new GDPR requirements. Failure to comply with regulations can result in a fine of up to 4 percent of annual global turnover or €20 million, whichever is greater.
For your organization, these new regulations should encourage you to take a fresh look at how you control exposure to personal data, employ security mechanisms to protect personal data, detect and notify supervisory authorities of breaches within a timely manner, keep records of data-processing activities and document risks and security measures.
Why GDPR is Being Implemented
In an increasingly data-driven world, people want more control over their personal data and transparency into how businesses are using their data. Individuals are not only concerned about how organizations are using their information for advertising, but also how their data might be exposed to the increasing threat of cyber incidents.
To combat these issues, GDPR is being implemented for the following reasons:
- To standardize data privacy laws across Europe;
- To protect and empower all EU citizens’ data privacy; and
- To reshape the way organizations across the region approach data privacy.
Companies must continue to listen and meet the privacy demands of users, and GDPR is the first step to create more transparency between brands and individuals.
6 GDPR Changes to Expect for Your Business
There are a few key changes to previous legislation that your organization will need to prepare for in your transition to GDPR compliance.
Under GDPR, consent for processing data must be clear and distinguished from other matters, provided in an easily accessible form and the individual must easily be able to withdraw consent. For instance, companies will no longer be able to assume users give permission for their data to be stored and used. Even pre-checked boxes on websites will no longer constitute consent in most instances. Businesses will now have to allow users to explicitly give their consent through a written or verbal statement or electronic means.
- Breach Notification
If your company is victim of a personal data breach, you will now be required to issue a breach notification with 72 hours of being made aware of the breach – unless you are able to demonstrate that the breach is unlikely to result in a risk to the rights and freedoms of the people impacted by the breach.
- Right to Access
Data subjects have the right to obtain information on whether their personal data is being processed, where it is being stored and used and for what purposes. Data controllers must provide a copy of the personal data free of charge upon request once.
- Right to be Forgotten
Think of this as a universal data opt-out option. Subjects will have the right to have their personal data erased without undue delay if that information is no longer necessary in relation to the purposes for which it was collected.
- Data Portability
This new regulation gives data subjects the right to receive personal data concerning them and the right to transmit that data to another controller.
- Privacy by Design
This concept has been around for years and is now a requirement in the GDPR. It calls for the inclusion of data protection during the design of systems rather than an addition.
INAP’s Commitment to GDPR Compliance
INAP has been preparing for the GDPR implementation ever since the law was passed in 2016.
The security of our global infrastructure is one of our top priorities, and we have been reviewing and updating our customer privacy and security policies to better safeguard your data and ensure we are in compliance with the new regulations. We are entering into data processing agreements with our customers if GDPR applies to the processing of their data and entering into sub-processing agreements with vendors when necessary.
For more information about our processing roles and responsibilities, as well as our commitment to customers as a data controller, visit INAP’s GDPR page.