With the General Data Protection Regulation (GDPR) coming into effect throughout the EU this month, I thought it would be helpful to reiterate the six “need-to-know” provisions of this sweeping data privacy legislation one more time so that our customers and readers working toward GDPR compliance are as prepared as possible to meet the new requirements.
While the law particularly affects EU countries, global businesses with customers in the EU are also impacted. After the planning and process adjustment pains, I think many companies will see the GDPR as a positive and progressive development that will ultimately help improve data protection consistency across the board.
6 Tips for Businesses Preparing for GDPR
- Know your data protection definitions. The cornerstone definitions of the Directive and Data Protection Act 1998 (which GDPR replaces) remain generally unchanged under the GDPR. Businesses should have a good understanding of “Personal Data,” “Sensitive Personal Data,” “Controller,” and “Processor.” “Sensitive Personal Data” is now known as “Special Categories of Data,” and it includes biometric and genetic data but excludes criminal convictions data. “Processors,” or companies that perform a task on another company’s data (such as Dun & Bradstreet), are now given legal obligations under the GDPR. Most obligations still fall to the “Controller,” the company that is collecting data, but businesses need to know when they are acting in dual roles of processor and controller and what their obligations are to controllers and data protection authorities. It is worth noting that the GDPR makes no distinction between private and business activity, and for businesses dealing with unincorporated organisations such as sole traders or partnerships, their data is considered personal, as is data relating to shareholders and directors at incorporated companies.
- Know data subjects’ rights. Data subjects’ rights will remain in place under the GDPR, and many will be expanded or strengthened. To manage data-subject rights efficiently, organisations should concentrate on detailed privacy notices, streamlined subject access requests, procedures to manage rectify and erasure requests, and restrictions on processing when a subject has raised a rectification query that hasn’t been resolved.
Another important change is the process for responding to a subject access request (SAR) – a written request made by, or on behalf of, an individual for the information a business holds about them. A business now has only 28 days to respond under the GDPR rather than the 40 days allowed under the former directive. If a business processes data under legitimate business interest, they should also be aware of a change in burden. Currently, the data subject can only demand their data be deleted if they provide the Controller with “compelling legitimate grounds” to do so. The GDPR flips this burden and states that where a Controller processes data under the legitimate interest basis, the data subject can object at any time, and it will be for the Controller to prove compelling legitimate grounds for processing the data.
- Know your high-risk activities. Businesses use data in a variety of ways – both internally and externally. Information security can mitigate the risk of data breaches or hacker attacks. The GDPR includes obligations to carry out a privacy impact assessment to determine the level of risk of a particular activity. That means businesses need to assess all activities to establish which ones are high risk. Once identified, they should then ensure they are mitigating against danger and protecting data in higher-risk situations.
- Know when to report data breaches. For the first time, all organisations controlling personal data within the EU will be under a legal obligation to notify their local data protection authority within 72 hours if they suffer a data breach that could result in harm to data subjects. That’s a challenging time frame for any business. This obligation is something that companies with a US presence will be better prepared for, given that the emphasis for US privacy is on breach notification. Businesses will need to thoroughly review the GDPR legislation around this area, because not all breaches require notification. A review of current data security processes is recommended to make the necessary changes to ensure a business (a) can identify a breach quickly, (b) is able to limit its impact as much as possible immediately, and (c) has a process in place to escalate internally before making the authorities aware within 72 hours.
- Know how to handle international data transfers. The GDPR will do little to simplify the complex process of making data transfers out of the EU. Companies with subsidiaries inside and outside of the EU should note the inclusion of Binding Corporate Rules (BCRs) in the GDPR. BCRs are a mechanism for intra-company transfers around the world – and are being given a legislative basis for the first time.
Data is a powerful force in business, which helps firms understand customers and deliver the very best products and services. The GDPR does not need to be a problematic revolution. The reality is that many of the standards and procedures the GDPR puts in place are based on, and can be adapted from, current data protection legislation. Given an increasingly digitally led and data-based world, Dun & Bradstreet believes that the GDPR is a necessary and progressive move forward for all businesses.
The GDPR will put in place an EU-wide set of regulations that will create opportunities for easier, faster, and more streamlined trade across the EU. And it ensures the data that businesses hold is protected and used consistently.