This overview is intended to provide background information to help better understand GDPR and Seismic’s compliance with these requirements. This overview does not constitute as legal advice for your company to use in complying with EU data privacy laws like the GDPR. This information is not the same as legal advice, where an attorney applies the law to your specific circumstances. This overview is not legal advice or legal recommendations. Please consult an attorney if you require advice on your company’s interpretation of this information or its accuracy.
The General Data Protection Regulation (GDPR) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify the data protection for all individuals within the European Union (EU). This regulation becomes effective on May 25th, 2018.
GDPR is an enhancement of the 1995 Data Protection Directive. GDPR will replace the Data Protection Directive when it becomes effective. The Directive set out eight data protection principles that govern the treatment of personal data by organizations:
Obtain and process personal data fairly
- Keep data only for one or more specified lawful purposes
- Process data only in ways compatible with the purposes for which it was given initially
- Keep data safe and secure
- Ensure data is accurate and up-to-date
- Ensure the data is adequate, relevant, and within scope
- Retain data no longer than is necessary for the specified purpose or purposes
- Give a copy of personal data to any individual upon request
What GDPR Governs
GDPR was created to protect EU Data Subjects–any EU citizen located within the EU. Personal data as is covered by GDPR is any information related to a person that can be used to identify the person including, but not limited to:
• Email address
• Banking information
• Social media posts
• Medical information
• Computer IP address
Individual Rights under GDPR
Individuals affected by the GDPR are given a host of rights when it comes to managing their private data.
The individual must be provided with clear, unambiguous reasons for the collection and use of their personal data. They then must consent, through a statement or clear affirmative action, to the processing of their personal data in the ways that have been clearly stated.
Data Sharing and Deletion
Individuals possess the right to request any of their personal information be delete or the collected information be shared with them. The right to be forgotten requires data controllers to alert downstream recipients of deletion requests. The right to data portability allows data subjects to demand a copy of their data in a common format.
Data subjects are within their rights to request access to the data that is being stored on them. Entities may not charge for processing an access request, unless they are able to demonstrate that the cost will be excessive. The timeline for processing a request for data access is 30 days. Organization may refuse, provided clear policies and procedures are in place. They must also demonstrate why each refused request meets the criteria for refusal.
Supervisory Authority for GDPR
GDPR has removed the inconsistency of having multiple supervisory authorities. Under GDPR there is a “one-stop shop provision,” meaning there is a central authority for handling enforcement of the regulations.
Breaches of data must be reported to this central supervisory authority within 72 hours of learning of the breach. Exceptions are made for encrypted or anonymized data. Breaches that are likely to bring harm to an individual–such as identity theft or breach of confidentiality–must also be reported to the affected individuals.
Internal Requirements for GDPR
GDPR includes provisions for how organizations must store, protect, and manage the data they collect. Organizations are required to build in data privacy by design when developing new systems, to ensure compliance with GDPR. Also of note is the Data Privacy Impact Assessment (DPIA). DPIA is the process of considering the impact a project or initiative might have on privacy. Organizations have an obligation to perform this assessment when designing new technologies, or using existing technologies in new ways.
Some organizations will be required by GDPR to have a Data Privacy Officer (DPO) to help oversee compliance efforts. Organizations required to have a DPO are public authorities, companies whose activities involve the regular and systematic monitoring of data subjects on a large scale, and companies who process what is currently known as sensitive personal data on a large scale.
Ahead of GDPR, Privacy Notices, Statements, Terms of Service, and internal data policies will need to be reviewed for compliance to GDPR.
Scope, Accountability, and Penalties Relating to GDPR
GDPR applies to:
• Entities within the EU
• Non-EU businesses who market their products/services to people in the EU
• Non-EU businesses who monitor the behavior of people in the EU
GDPR requires demonstration of compliance with the supervisory authority. This accountability includes documenting processes and completing training to ensure compliance.
Depending on the violation to the GDPR there are numerous penalties that can be enacted on the offending organization. These penalties can result in significant fines depending on the severity of the violation.