The EU General Data Protection Regulation – GDPR is the most important change in data privacy regulation in 20 years. The regulation will fundamentally reshape the way in which data is handled across every sector, from healthcare to banking and beyond. Fouad Fattouh, ICT professional, trainer and consultant, brings you the ten points you need to know about GDPR.
Better quality consent required
Which must be given freely by customers. Organizations will have to meet tougher quality requirements for legal consent.
Customers will have the right to be forgotten and erased
Customers will be entitled to ask to delete their personal data where it is no longer required for its original purpose, or where they have withdrawn their consent.
Customers will have to be able to easily transfer data to a different organization – “Data Portability”. Customers will be entitled to request that their personal data is transferred from one organization to another in case they switch (financial) service providers. Organizations will be obliged to facilitate the transfer of personal data.
Right to object
Customers will have the right to object to having their data used for ancillary activities unless the organization has compelling and legitimate reasons for doing so.
Profiling gets tougher
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular as to analyze or predict aspects concerning the natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
Privacy by design and by default
Privacy by design is a process involving various technological and organizational components, which implement privacy and data protection principles from the beginning of the design process, such as pseudonymization, data minimization, and other technologies that help an organization to minimize the information collected about individuals. By default, systems and technology should be designed in such a way so as to ensure that data processing is limited to what is necessary for the purpose for which the data was collected and only those within an organization who need to access the personal data do so.
Must be notified to the data protection authority and possibly to data subjects. Companies must notify the data protection authority of data breaches if there is a risk for the rights and freedoms of individuals. Notification, within 72 hours, if possible, must include:
– Nature of the breach
– Contact details
– Likely consequences
– Measures taken or proposed to mitigate negative effects
Privacy Impact Assessment (PIA)
A PIA is a process by which the people, process, technology and operational controls are assessed in the organization to determine the likelihood of not safeguarding personal data and thus, non-compliance with the GDPR requirements.
A Data Protection Officer will have to be appointed
The DPO monitors the compliance with the GDPR, and collects information to identify processing activities, will analyze and check the compliance of processing activities, inform, advice and issue recommendations. The opinion of the DPO must always be given due weight. Reasons for not following the DPO’s advice must be documented.
New fines and penalties
For the most serious breaches of data protection laws. Regulators will have the power to fine organizations up to either €20M or 4% of worldwide annual turnover (whichever is higher) for the most serious breaches of data protection laws.
About the author
Fouad Fattouh (ITIL, PMP, ISO, COBIT, GDPR Certified) has been an ICT professional, trainer, and consultant since 2003, working with multinational companies in Lebanon, UAE, Cyprus and UK. Co-founder of Creative Consults, an IT and Digital Marketing Consulting firm, that focuses on helping entrepreneurs’ setup their startups in the best cost-effective way.