What is the General Data Protection Regulation (GDPR)?
What is GDPR?
The GDPR is an overhaul of country-specific rules and regulations that puts personal information back into the hands of the individual. Personal data is defined as any information relating to an already identified individual or that can identify an individual directly or indirectly.
The regulation went into effect in April 2016 but provides a grace period on compliance that will end on May 25, 2018.
The GDPR is not only a law but also a helpful guide on how to manage and govern data because it is all about good data hygiene, knowing what data has been collected, how the data is used, and how to use it the right way.
Another benefit of implementing the GDPR is that companies now need to follow only one set of privacy rules rather than the myriad of different rules imposed by individual countries in the European Union (EU).
How does the GDPR affect my organization?
Your organization must comply if it offers services to an EU resident.
Ultimately, this will lead to better practices in your organization:
- You will need to understand how you collect data, how you use data, and how your data flows (such as what data is collected and how and why you use it).
- You will need to be transparent on how you share and provide access to a person’s data and how you allow them to update, remove, take
ownership of (portability), or erase data about themselves.
- If you track or profile persons, you will need to obtain their consent and clearly explain what you are using the data for.
The tenets of the new regulation are
- Data-driven consent: An individual must be provided with accurate information on all relevant issues, such as the kind of data to be collected or processed and for what purpose. Explicit consent is needed in the case of processing particularly sensitive data, such as political opinion, religion, ethnic origin, biometric data (even photographs), sexual orientation, or data concerning health.
- Right to be forgotten: All subjects have the right to have their retained data removed from a database upon demand.
- Breach notifications: The data controller must inform data subjects within 72 hours in the case of any data breach or hackings.
- Parental consent: Companies cannot collect data of children under the age of 16 without verifiable parental consent. However, there is a possibility that the GDPR digital age restriction may be lowered to as low as the international standard of 13.
What if we choose not to comply?
Enforcement will be strict!
The penalty for non-compliance will be up to €20 Million or 4% of a company’s total gross revenue, whichever is higher.
How can LumenData help?
1. GDPR Data Protection Impact Assessment
- Identify and assess relevant business functions
- Identify and assess in-scope Third Party Processing activities
- Define a central GDPR Compliant Data Governance tool
- Distribute updated Data Protection policies and Privacy Notices
- Educate internal Personal Data Handlers and external Data Processors
2. Operatize GDPR-compliance Processes and Procedures (Data Governance)
- Identify and classify data – Data that is unknown cannot be managed, and not all data is worth the same level of protection
- Put data into context – What is the data is linked to, where does it go, and how do we use it?
- Prioritize security control objectives for these information assets as a function of risk, and audit and compliance requirements (i.e., data classification)
- Establish consistent policies as part of an overall approach to safeguarding sensitive data
- Implement a central GDPR Compliant Data Governance tool
3. GDPR Maintenance/Support
- Ensure the ongoing integrity and quality of the GDPR Compliant Data Governance tool
- Trigger impact assessments for business change events
- Verify compliance of Third Party Personal Data Processing activities
- Demonstrate effectiveness of Personal Data handling practices
- Leverage GDPR compliance measures for competitive advantage
LumenData is a global leader in providing consulting services for data management and marketing automation solutions. Our team of experts can configure new implementations or optimize current installations, all customized to your business needs and goals.