Short for General Data Protection Regulation, this EU data protection directive goes into effect on May 25th, 2018 and has been cited as the most important change in data privacy regulation in 20 years.
Approved by the EU Parliament on April 14th of 2016, GDPR actually replaces the EU Data Protection Directive of 1995 (throwback) which aimed to protect personal data and the fundamental human right of privacy for citizens of the EU.
Back then, the Organization for Economic Co-operation and Development (OECD) outlined eight principles endorsed by both the EU and the US as it relates to processing, using or exchanging such data:
Collection Limitation Principle
There should be limits to the collection of personal data, data should be obtained by lawful.
Data Quality Principle
Personal data should be relevant to the purposes for which they are to be used, accurate, complete, and kept up-to-date.
Purpose Specification Principle
The purpose for the collection of data should be specified at the time of collection.
Use Limitation Principle
Personal data should not be used for purposes outside of the original intended and specified purpose.
Security Safeguards Principle
Personal data should be protected against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.
Individuals should have easy access to information about their personal data, who is holding it, and what they are using it for.
Individual Participation Principle
An individual should have access to their personal data and be allowed to challenge the accuracy of the data.
Data controllers should be accountable for complying with the measures detailed above.
In order to be ready for when the GDPR becomes fully enforceable.
Data subjects include prospects, customers, partners, employees, vendors, etc. and can be anything from a name, photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
A company collecting, processing, or exchanging EU consumer data (regardless of the company’s location) must now abide by the following guidelines:
- Breach notification will become mandatory and must be reported within 72 hours
- A subject’s personally identifiable information (PII) cannot be stored without their consent
- Third party disclosure must be made to data subjects and can be ceased from further dissemination upon their request
- A company must implement a privacy impact assessment (PIA) for every identified risk, and their associated systems and processes
- PrivacybyDesign (PbD) and the inclusion of data protection from the onset of the designing of systems, rather than an addition is to be adopted
- An official data protection officer (DPO) must be appointed or hired for large-scale systematic data collection, ensuring GDPR compliance
Additionally, it’s important to note these rules apply to both controllers and processors. This means any downstream service and does not exempt ‘clouds.’
Here are a few best practices you can use to get your own GDPR compliance strategy in place:
- Map out your data supply chain
- Identify weak spots and vulnerabilities
- Implement privacy controls to protect against possible breaches
- Document, communicate, and enforce a privacy framework with third parties