All the resources you need to comply with the new EU Data Protection Regulation
Useful resources to be GDPR compliant
Fear of change, the overwhelming feeling that everyone hates. Why? It takes people out of the comfort zone.
Us people usually react to change with anxiety and suspicion, because we don’t have the slightest idea of how things will play out. It makes us wonder if we’re up for the challenge. It also disrupts our flow, the way we use to do things.
But as soon as we start learning about the change, its causes and effects, we begin to settle down. After all, we (learned) to adapt to new things every day.
The same thing happened when the new General Data Protection Regulation (GDPR) was announced.
But we’re here to help you understand the basics and how this new legislation works, so you’ll be prepared when it will roll out.
In a nutshell, you can read our free downloadable EU GDPR compliance checklist that includes all the steps you need to take and be prepared for the new Regulation, with a list of helpful resources and examples.
What is the EU Data Protection Regulation?
The EU GDPR is a new reform meant to replace the outdated Data Protection Directive from 1995, which could no longer handle the current privacy and security needs for European citizens. The EU Data Protection Regulation regulates how personal data is collected and managed inside the European Union.
The purpose of the new legislation is “to strengthen and unify data protection for all individuals within the EU”, as well as to simplify things and make easier for people to control their personal data.
Need to know facts about the EU GDPR
This policy is an important element of the EU privacy and human rights law. And it’s crucial for our digital economy and for shaping its evolution in the coming years.
The European Commission finalized the new GDPR policy in February 2016 and is expected to become enforceable in May 2018 after a two-year transition period. This regulation will be directly applicable to all the states which are part of the EU, without needing national legislations to be implemented. This doesn’t include only public institutions, but all entities that collect and handle personal data within the Union.
Organizations aren’t prepared yet for the new EU-GDPR
Crowd Research Partners conducted a study which aimed at identifying the perspective of organizations about the new regulation and how they plan to be compliant. The results have revealed that:
- Over 90% of surveyed organizations have shown familiarity with the EU GDPR, but only one third of them (about 32%) said that they are compliant or prepared for the new legislation.
- Approximately 30% of respondents aren’t prepared yet and they still need to make changes to security practices to port that they will need to make substantial changes to security practices and technology to be in accordance with EU GDPR policies.
- For organizations where EU GDPR is a top priority, 65% of organizations are planning on having a Data Protection Officer, ether in house or outsourced.
Another survey released by Dell also found that organizations aren’t aware of the requirements of the new regulation, how to prepare for it, and how can this impact the data security and business. More than half of organizations haven’t started to work on their GDPR compliance readiness, said another study conducted by Vanson Bourne.
This lack of preparedness for GDPR can affect organizations and businesses’ reputation, risk penalties or potential breaches.
Here’s an example of a British company who broke the Privacy and Electronic Communication Regulations (PECR) while preparing for the GDPR and got penalized. Or Google’s € 2.42 billion fine from the European Commision for “abusing the Internet search market through European Economic Area by giving its own comparison shopping service an illegal advantage.“
What is the purpose of the EU GDPR?
This new set of rules coming into force in May 2018 aims to do just that: give EU citizens more control over their personal data. Privacy is a fundamental right in Europe and the new regulation is trying to enhance that.
It will also simplify the regulatory environment for businesses, taking a step forward to a Digital Single Market in the EU which aims at offering people and businesses more digital opportunities and where free movement of persons, services and capital is ensured.
The purpose of the GDPR is to protect all European citizens from data breaches in an increasingly data-driven world that is slightly different from the period in which the 1995 Directive was established.
10 key aspects of the EU Data Protection Regulation
The are some essential elements about the General Data Protection Regulation (GDPR) that you should definitely know, aside from what you already read and find out. Bottom line, it’s all about the user, customer and businesses.
Here are the most important aspects of the GDPR:
1. Data collection rules become tighter
The new policy states that “personal data can only be gathered legally under strict conditions, for a legitimate purpose.” This means that business owners will have to consider what information they collect about their customers a lot more carefully.
The latest set of rules has been built so that users can rest assured that their data is heavily protected anywhere in the EU, and they have the right to complain and get redress, if data is misused anywhere within the European Union.
2. You are responsible of keeping personal data safe from harm
The new EU GDPR emphasizes that legal entities which collect personal information must protect it from being misused or tampered with. Moreover, you’ll have to set privacy settings to a high by default.
All those influenced by the new rules (and that probably includes you too) must acknowledge that they are responsible and accountable to the data owners.
Keep your data safe by:
- Protecting servers from potential cyber attacks that can access your computer and encrypt your files;
- Using HTTPS certificate by default on all websites that collect personal data to ensure more online safety;
- Installing an antivirus program to keep you safe against attacks that can compromise your sensitive data and following additional security measures.
3. Data owners have the right to be forgotten (also known as Data Erasure)
According to the new regulation, it is entitled that everyone has the right to have their personal data protected. This includes the “right to erasure”, which allow users to request that their personal data be deleted from a company or institution’s database. The conditions for erasure, as outlined in article 17, “include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent.”
This can only be done if the controller has serious reasons for a person’s request, such as non-compliance. The idea behind this is that people have the right to privacy and keep information about them confidential. For example, if an institution has outdated or incorrect data about a person, you can legally ask to be deleted.
Moreover, to be GDPR compliant, any company within European Union should provide easy access to personal data of their employees.
4. Users enjoy a lot more control over their data
It’s clear that the new EU Data Protection Regulation is focused on giving the user more power of his data. This is a good thing for companies as well, although it may not seem that way.
More transparency can improve the relationships between businesses and their customers. It inspires more trust which leads to attracting more and more customers. Don’t underestimate the power of transparency!
Facebook introduced some features that alert users when something in their usual usage pattern changes, so they can be mindful of their data and its safety. Here are some examples:
As part of this increased control, GDPR introduces data portability which gives users the possibility to transfer their personal data from one electronic system to another. This means that you, as a business owner, will have to make sure that the data is collected in an organized way, so it can be easily moved.
In another example, Google offers users a security checkup for a better online protection. You can manage the types of data Google collects, update what personal information you share with friends or make public, and adjust any other type of information.
5. Customers will be able to launch “class action” lawsuits
The EU GDPR empowers users not only to learn about their data protection rights, but also to defend them. Users will be able to sue for compensation in the event of a data breach or some other events that put their their personal information at risk.
Business owners should take this very seriously, because a mishandled cyber attack can have serious financial consequences, also affect a company’s reputation and brand. And the impact can be long-lasting.
6. You’re in charge of getting consent and communicating user rights
The new regulation has strengthened the conditions for consent, meaning that companies will have to get explicit consent for the data they’re collecting about their customers. “Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language.”, says the GDPR.
You won’t be able to ask your users to opt out of their data being used. Customers will have to only opt into your data collection system and they’ll be able to withdraw consent as well.
Moreover, it’s mandatory that you inform and reminder clients of their rights at every stage of getting their consent (and even beyond these interactions).
These ten positive examples will help you understand why and how customer data is collected, and how they can opt-out. This video example shows how to present data and privacy policies in a transparent way.
7. Immediately reporting data breaches becomes mandatory
Under the GDPR, everyone who manages personal data will be legally compelled to notify the authorities in case of a data breach without delay. And “without undue delay” is translated into 72 hours.
And if you, as a business owner, realize that customers have suffered as a consequence of the data breach, you are legally bound to announce them as well. But the policy doesn’t mention any deadline for this.
In the past, many companies have tried to keep data breaches secret until the truth could no longer be covered up. The Breach Level Index tracks lost and stolen data, and these numbers confirm the companies’ behaviour of hiding them. The EU GDPR wants to change that and make sure that all proactive data protections measures are taken. And, if a security breach does lead to data leakage, that the company discloses the impact and mitigates the effects adequately.
Source: Breach Level Index
8. Stronger sanctions for not complying with the EU GDPR
While the General Data Protection Regulation may look like a set of recommendations, it will apply and have the impact of any law. To make things clear, the European Commission introduced huge sanctions in case of misalignment.
Here are the different types of penalties that can be applied:
- a warning in writing in cases of first and non-intentional non-compliance
- regular data protection audits
- a fine up to €20 million or 4 per cent of annual global turnover of the preceding financial year in case of an enterprise, whichever is greater.
Source: European Commision
9. Transferring personal data outside the EU is now clearly regulated
International personal data transfers have also been regulated, which includes “all EU countries and in addition, non-EU countries Iceland, Liechtenstein and Norway.”
Three major points stand out from the agree between the EU and the US on a new framework for transatlantic data flows, namely the EU-US Privacy Shield:
- Strong obligations on companies handling Europeans’ personal data and robust enforcement
- Clear safeguards and transparency obligations on U.S. government access
- Effective protection of EU citizens’ rights with several redress possibilities.
Consequently, if your company operated through legal entities located both in the EU and in the US, you’d have to consider all the implications of the GDPR. Think of Facebook in terms of examples, so you can get a better picture of what this means.
According to EurActiv, European privacy watchdogs have received several complaints about this privacy shield data transfer agreement with the United States, and a first review of this agreement is set to take place on September 18, 2017. A number experts from the European Commision will be joining this review.
10. Companies will have to appoint a Data Protection officer
A Data protection officer (DPO) is needed “wherever the data processing is carried out by a public authority or a company (controller or processor) whose core activities consist of processing operations which require regular and systematic monitoring of data subjects”
The European Parliament also requires an organization or company that processes more than 5000 data subjects in a 12 month period to have a Data Protection Officer.
A Data Protection Officer is expected to:
- Be proficient at managing IT processes and resources;
- Be skilled in data security, including aspects related to cyber security (cyber attacks, cyber protection, etc.);
- Understand and be able to ensure business continuity issues related to storing and processing sensitive data.
With the new Data Protection Regulation going into effect in May 2018, experts share their opinion and experience on working with customers to prepare for GDPR implementation.
What challenges could a company face?
Preparing for EU GDPR is a complex process that requires a step-by-step approach for both companies and users. While this new regulation is a much-needed improvement for EU citizens, it may bring some challenges along the way.
- The process of selecting a Data Protection Officer doesn’t have to be an administrative burden, because there are ways a company can automate some of the tasks implied by this position and save time (and money) while doing it.
- Organizations will need to focus more on the legal aspects, business process audits and IT infrastructure to get full compliance with the new regulation.
- The legal aspect of the data collection practices and implementing a standard for ensuring data privacy are challenging for companies. With the new GDPR, they will have to think more seriously about the amount of the so-called “dark data” they are collecting, which is a compliance issue.
- While preparing for the new regulation and implementing it, companies need to deal with the lack of cyber security knowledge, educate and raise awareness amongst their employees in this field.
- Implementing the EU GDPR will certainly bring up the necessity of internal changes. Planning ahead is essential, so you can make the right decisions and not jump into anything hastily (which can become costlier.
- The lack of cyber security knowledge and the shortage of experts in the field may be a burden for companies preparing for the new regulation. Companies with money will want to hire the best people, which there already aren’t enough of. Smaller companies, especially SMBs, might have to train their own employees so they can fit the role of Data Protection Officer, which may put additional pressure internally.
How to deal with the privacy issue and cyber security risks
Being proactive about the EU GDPR can help any company and organization save a lot of time and money. Changes in the way data is collected and managed in a company can be a lengthy process, so it’s better to start early and plan ahead.
If you can demonstrate that you’re adequately protecting user data, then you’ll have nothing to worry about when the EU GDPR comes into full effect in May 2018.
To diminish the risks of a cyber attack, a good solution would be to implement and use a proactive cyber security software. It will help you get accurate data about your security risks at any moment, and mitigate them to prevent security breaches. However, do discuss with your security vendor what happens with telemetry, as that information collected by antivirus software can leave you open to fines. We expanded more on this topic here.
Starting to train employees in matters of cyber security can prove to be one of the best investments for a company. And there are many free educational resources to use such as the Cyber Security for Beginners course, The Daily Security Tip or even the Heimdal Security blog, which provide useful information to help them better understand the security landscape.
Here’s a short video explaining what is GDPR and the steps you need to take for preparing for the new Regulation
Remember that change is the only constant, as the famous saying goes.
The new EU Regulation was created to strengthen data protection for European Union citizens and companies need to be prepared and implement it ahead of time, to avoid significant and even expensive repercussions.
What is your biggest challenge in implementing the EU GDPR in your organisation?
This article was initially published in March 2016 and updated in August 2017.