General Data Protection Regulation (GDPR): what does it change?

In this publication I would like to present an overview of forthcoming changes in personal data processing. “GDPR”, “GDPR requirements”, or “GDPR compliance” are the terms all of us have been hearing more and more often recently. The awareness of GDPR (coming in force in 25th May 2018) among Organizations, is slowly being raised within the mainstream. However, many of them still believe that the crux of the matter merely lies in preparing a few documents.

Unfortunately, that is a false assumption. The GDPR is about implementing “organizational and technological” security measures in the organization so that personal information can be processed in a secure manner. In other words, you should implement and deploy information security management system that secures personal data in your organization.

The regulation applies to either EU-established Organizations (Art. 3. 1), or the ones from outside the EU that process EU citizens’ personal data (Art. 3. 2). If I were to sum up the two main conclusions from the regulation, they would be:

1. As individuals, we have now much broader rights to our personal data processing, warranted with e.g. fines up to EUR 20,000,000 or 4% of the company’s overall turnover.
2. As Organizations, we have to secure personal data processing on both technological and organizational levels.

Individual Rights

GDPR grants the following rights to us as individuals:

1. The right to access – from May 2018 each of us will be entitled to drop any organization a line and kindly ask them to share all the personal information they have collected about us.
2. The right to rectification – we will have the right to correct the incorrect information about us as individuals.
3. Right to be forgotten – yes, you have read correctly. Thanks to GDPR, we will have, at least in some situations, the right to ask an organization to delete all the information about us. That would be true especially in cases when the processing is done by personal consent. To put it straight, you will be able to ask our friends from e.g. “ 🙂 book” to delete all your personal data.
4. Right to restrict the processing – we will be able to ask an organization to restrict the processing of our data.
5. Right to data portability – we will be able to ask one organization to export the personal data they’ve collected about us and deliver them to a new organization on our request. Sounds like a purely theoretical case? Just imagine a transfer of your medical record from one health care provider to another.
6. Right to object to processing – you are going to like this one. In case you do not fancy talking to telemarketers. Your phone number is personal information. Thus, you can ask a telemarketer that you object to its processing. With EUR 20,000,000 fines you might sound convincing 🙂
7. Right to not allow automated individual decision-making – in the light of Artificial Intelligence (AI) getting more and more engaged in personal data processing, we have the right to object to automated decision making. In case you do not trust AI, you are entitled to ask for human intervention.

Responsibilities of the Organization

OK, now it is time to look at the other end of that stick. In the list below I present the main, yet not all, responsibilities of organizations under GDPR regulation.

1. Lawfulness of processing – the organization must process personal data in a lawful manner. GDPR provides a closed list of bases for processing of our personal information. The broadest one is individual’s consent, but then even in that case it can be withdrawn at any time.
2. User consent – in the case of processing personal information based on user consent, the organization will have to prove that the consent was given by an individual for such processing. Furthermore, obtaining personal information from another regulation is also consent regulated. Well, telemarketing will never be the same, will it?
3. Very limited processing of special categories of personal data – processing sensitive data such as racial or ethnic origin, political options, religious beliefs, trade union membership, genetic data, biometric data, data concerning health or person’s sexual orientation is allowed only in very specific cases.
4. Technological and organizational measures – GDPR obligates the organization to define organizational and technological measures which will be used to assure security of personal data processing. In case you are looking for more detailed answer of what it means, there are several policies mentioned in GDPR, and some basic technological security measures as well. At the moment, I would personally recommend referring to ISO 27001 standard, which provides a detailed list of security measures constituting the final Information Security Management System.
5. Shared liability – GDPR introduces organization’s liability to individuals in the event of personal data breach. It is shared liability across the whole supply chain – controllers and all the processors. That is surely going to result in raised expectations of suppliers’ maturity in the field of secure processing of personal data.
6. Working with qualified processors – when an organization delegates personal data processing to any subcontractor (processor) it has to select the ones who can demonstrate their competence in secure personal data processing. Such delegation has to be regulated in a specific contract as well.
7. Records of processing – each organization has to keep the records of personal data processing in the organization.
8. Risk-driven security measures – for all the categories of personal data processing, the organization must perform risk assessment and, based on that, select security measures, both organizational and technological, which will be applied to secure personal data. This again, is well aligned with the ISO 27001 approach.
9. Notifying about security breaches – generally, any organization in which security breach occurred must inform its supervisory body of such an incident within 72 hours from the moment it has learned about it. Prior and in addition to that, the security incident handling process is expected to have been triggered to handle such a situation as well.
10. Informing individuals about data breaches – following the previous point, in some of the cases, an organization shall inform individuals about the security breach concerning their personal data. Sounds trivial, think about 100,000+ personal data sets …
11. Designation of Data Protection Officer – GDPR obligates some of the companies to designate a Data Protection Officer inside the organization that will be supervising and coordinating Information Security Management System within the scope of personal data processing.

Summary

Thus, we come to the end of the overview of the changes the new General Data Protection Regulation brings to both individuals and organizations. If, as an organization, you would like to meet the GDPR requirements, please check out our ISO 27001 / GDPR know-how set on in2outs platform. It would help you to quickly define both organizational and technological security measures required to assure the security of personal data processing in your organization.