What Your Business Must Know About the General Data Protection Regulation (GDPR)
By: Ann Nickolas, Vice President of National Accounts
Data protection and information security have always been important for businesses. However, May 2018 will mark the start of a new onus on companies to implement data protection measures when conducting business with people in the European Union (EU). The General Data Protection Regulation (“GDPR”) is a new piece of legislation in the EU that imposes greater obligations on businesses to keep the personal records and confidential data of EU residents safe. The legislation will also work to reduce the number of fraud and identity theft incidents. The impetus behind this new regulation is to bring greater strength and consistency to information collected from individuals living in the European Union (EU).
The GDPR is unique in that it applies to businesses who are located both inside and
outside the EU. North American businesses who fail to comply and take the necessary precautionary steps could face fines as high as US$24 million.
This article highlights key provisions and suggested solutions to help North American businesses comply with the GDPR from an information security perspective. It is not to be considered legal advice.
applies to any entity that collects, uses or discloses personal data of EU citizens. The legislation refers to these entities as Controllers and Processors. A Controller is an entity that alone or jointly determines the purposes and means for processing personal data. A Processor is an entity that processes personal data on behalf of the Controller. This provision can be found in Chapter 4
It is recommended that businesses consult a legal expert to ensure legal compliance. However, the GDPR specifies the type of activities that could harm individuals in the EU:
- Discrimination or identity fraud;
- Professional secrecy where individuals may be deprived of their rights or control over their data;
- Disclosure of racial, religious, genetic and other special categories of data;
- Evaluation of personal aspects, such as work performance, health, reliability or economic situation; or
- Vulnerable persons’ data and processing on a large scale.
Businesses must also be aware of the following obligations under the GDPR:
- Consent: The GDPR requires that consent be obtained to process personal data. Silence or inactivity does not constitute consent.
- Breach notification: In the event that there is a data breach, businesses must notify affected individuals within 72 hours of discovering the breach. In the case that the breach affects an individual’s rights and freedoms, notification must be made without undue delay. There is an additional onus for businesses in the financial, energy, transport and digital service industries. These services are considered “essential services” and these businesses must notify relevant data protection authorities in the event of a data breach.
- Erasure of information collected: If data collected is no longer needed, if an individual objects to collection, or if the information was collected unlawfully, businesses will be required to erase this information. Additionally, businesses will be required to communicate any erasure requests to other controllers who have the data.
- Data Protection Officers: Controllers and Processors will be required to designate a
Data Protection Officer to be equipped with the necessary knowledge of data protection laws and procedures. Entities that require this include:
- Public authorities or bodies;
- Entities whose core activities involve regular and systematic monitoring of individuals on a large scale;
- Entities whose core activities consist of collecting data related to racial or ethnic origin, criminal convictions or political views.
It is important to emphasize that the application of this legislation is not limited to organizations that have a physical presence in the EU. Businesses outside the EU that engage in the following activities also fall under the GDPR: (i) offering goods and services to individuals in the EU (including goods and services offered free of charge); or (ii) monitoring (i.e. internet tracking and profiling) the behavior of individuals that occurs in the EU.
Ramifications for Non-Compliance
As mentioned, businesses who fail to comply with the GDPR could face significant fines. These fines and sanctions fall into two broad tiers:
1. For serious infringements, fines can be as high as US$24 million, or 4% of the total annual revenue worldwide;
2. Less serious infringements can result in administrative fines greater than US$12,000, or 2% of total annual worldwide turnover of the business.
It is important for businesses of all sizes to familiarize themselves with the legislation, consult a legal expert, and take the necessary precautionary measures to comply with GDPR. To avoid receiving hefty fines, Shred-it recommends following these steps:
First, businesses are advised to prepare a robust information security policy that is kept up-to-date. Authorities will have the right to review your privacy policies and procedures at any time under the new GDPR legislation. Policies should clearly articulate the category of data obtained from EU residents, and how long the data should be stored before being securely destroyed. Additionally, the type of information destruction methods for both physical and digital documents should be identified in these policies. Companies are advised to keep an accurate record of what information has been destroyed in case questioned by authorities.
Second, businesses that will be affected by the GDPR should introduce Privacy Impact Assessments (PIAs). PIAs are a critical component of the GDPR that provide risk assessments and identify where an individual’s data can be at risk throughout its processing.
Finally, it is recommended that there is a designated person or team responsible for ensuring all data protection policies are put into place and followed.
Implementing these procedures at the early stages of a project will be crucial to ensure that data protection is part of your thinking from the start. For further information on how Shred-it’s services can help you with information security procedures, please click here.