The new EU General Data Protection Regulation (GDPR) comes into effect on May 25th of 2018, and was probably one of the most discussed topics during the second half of 2016 in the privacy community. But, what does it really mean? What will the consequences be for me? For my business?
The new regulation is user-centric, i.e. it is designed completely with the user in mind. In GDPR the user is called the data subject. You, and I, and everyone is the owner of our own personal data.
In various earlier privacy regulations the focus has been the business or company that processes the personal data and what they are allowed and not allowed to do with the data. In GDPR the focus is instead on what rights the data subject has to his or her personal data. Anyone who processes personal data needs to make sure that they can fulfill the rights of the data subject. So, the tables have turned!
As a bonus, the definition of personal data has also been revised. It is now stipulated that any piece of data that directly OR indirectly can be used to identify a living person is considered to be personally identifiable information (PII). This will mean that those involved in data mining and so called Big Data applications will have a greater challenge when combining or sharing data from different sources. Explicit consent from the data subject to collect, store and process data is required and must include purpose, the why. If the purpose changes, a new consent is required. This means that companies throughout Europe will have to completely review the way the handle personal data.
While there are technical tools that can assist a company in the processing of PII, e.g., with encrypted storage and pseudonymization of data, the major part of reaching compliance with GDPR cannot be reached by adding or using technical systems. There is no quick fix.
You need to revise your routines, processes, policies, and most likely your business.
You need to educate your employees.
And, You need to document all of the above, as the requirement to provide evidence that your processing of PII is in compliance with GDPR is very clear in the new regulation.
While I have only scratched the surface of GDPR, the new regulations will really force companies to adjust their way of working, and I haven’t even started to address the penalties yet. More on that in a future posting.