GDPR compliance is compulsory for every business that collects, maintains, or uses the personal data of EU citisens. The implementation of the General Data Protection Regulation (GDPR) and the subsequent need for GDPR compliance will have a significant impact on how businesses and organisations approach data protection, regardless of their geographical location.
It is important to make the distinction between an EU Directive and an EU Regulation. An EU Directive is a general set of guidelines EU member states can base their own national laws around, whereas, an EU Regulation is EU-wide legislation that all member states have to comply with and is enforceable by law.
GDPR is an EU Regulation. It replaces the previous 1995 EU Data Protection Directive and standardises data protection laws throughout the European Union. The regulation gives businesses and organisations operating in multiple EU member states a uniform set of rules to work within and resolves issues that could not have been foreseen in the 1995 Directive, such as data processing in the cloud.
Key factors
The EU General Data Protection Regulation came into force on 25th May, 2018 and applies to every business within or outside of the European Union. The key factors of the GDPR Data Protection Rules include a comprehensive definition of what constitutes personal data, the rights of individuals to know how their personal data is being used, what personal data can be collected under the GDPR Data Protection Rules, and how businesses obtain each individual’s informed consent to use the individual’s personal data.
The definition of what constitutes personal data will affect every business that uses cookies on their website as it is considered personal data under the GDPR Data Protection Rules. Other identifiers now considered to be personal data include racial or ethnic origin, religious or philosophical beliefs, and genetic or biometric data.
Businesses and organisations reviewing their GDPR compliance efforts should take careful note of how they obtain each individual’s informed consent. Personal data can only be collected, maintained, or used if an individual has given their consent by a recordable affirmative action. Hence, the individual must be told before giving their consent what the data will be used for and their right to withdraw their consent.
GDPR compliance
Any business that collects personal data without informed consent or that fails to delete the data after an individual withdraws their consent, is in breach of GDPR. There are many rights that individuals have that businesses should take into account when reviewing their GDPR compliance. These individual rights include:
- The right to access stored personal data
- The ability to rectify errors in an individual’s personal data
- Know how personal data will be used
- Know how long personal data will be stored
- Know how personal data is being shared
- Individuals can be “forgotten” and have any stored personal data permanently deleted
- Know the source of personal data if informed consent was not given
In order to comply with the GDPR Data Protection Rules for the rights of individuals, businesses will have to revise their data collection, storage, and processing mechanisms to ensure personal data can be isolated, extracted, and permanently deleted as required.
GDPR penalties
Authorities will be given the power to conduct GDPR compliance audits and impose penalties for non-compliance.
Penalties for non-compliance with GDPR can vary widely depending on the nature of the violation, the volume of records disclosed without authorisation, and the efforts made by the business to mitigate a breach of personal data. In worse case scenarios, the penalties for non-compliance with GDPR are substantial, including:
- Non-compliance with the regulation’s security standards can result in a fine of up to €10 million or 2% of global annual turnover
- Non-compliance with the regulation’s privacy standards can result in a fine of up to €20 million or 4% of global annual turnover
Further penalties for failing to comply with GDPR can be imposed if a business fails to report the unauthorised exposure of personal data within seventy-two hours of the exposure being discovered. The business may also be charged with a criminal offence depending on the national law of the EU member state. If the unauthorised exposure of personal data is likely to result in the affected individual potentially suffering identity theft or fraud, financial loss, discrimination, damage to reputation, or other significant economic or social disadvantage, the breach also has to be notified.
What you can do
Many organisations are just beginning to get to grips with personal data capture and use, and the sophisticated level of monitoring and policing that the new legislation mandates. Businesses will need to implement wide-ranging changes to how they process, secure, protect, and report on the data they hold. Businesses can get the ball rolling by:
- Understanding how GDPR affects you as a business and how you are going to be impacted by this ruling. Consider carrying out a full assessment of which changes apply to your business and the areas which present the greatest risk
- It’s crucial that your company understands the resources needed to transform the way the organisation handles personal data and the risks of not complying
- The law will hold organisations fully responsible for meeting the new data requirements, so make sure you review existing systems, procedures, and contracts with cloud vendors to avoid hefty fines
- Depending on the level of change required in your business, consider appointing a Chief Data Officer or an external partner to oversee GDPR-readiness of your organisation
Be protected, be compliant
Personal data is increasingly at the heart of a modern organisation’s operations, and this is an excellent time to make sure the level of your data protection in place is fit for the new digital era. Staying within the law is one thing, but meeting changing customer expectations is equally important.
In order to keep up with GDPR Regulation, you can view this helpful checklist:
*Please note that Cognite does not offer legal advice. We are just making people aware of it. Businesses and organisations concerned about GDPR compliance should take professional legal advice*
Helpful links