What is GDC doing to prepare for GDPR?

Like nearly every other technology company, we have been closely following developments related to the General Data Protection Regulation – GDPR. Working in conjunction with our customers and outside advisors, we have updated our services offerings to assist our customers in meeting their GDPR obligations. GDC attests that it will comply with applicable GDPR regulations when they take effect on May 25, 2018. We will continue to make additional required operational changes resulting from the new legislation, and will keep our clients, partners and regulatory authorities informed throughout this process.

What is GDPR?

The EU General Data Protection Regulation (GDPR) is the most significant piece of European privacy legislation in the last twenty years, replacing the 1995 EU Data Protection Directive (European Directive 95/46/EC), strengthening the rights that EU residents have over their data, and creating a uniform data protection law for EU residents. Simply put, GRPR gives EU residents greater say over what, how, why, where, and when their personal data is used, processed, or disposed. Further, any organization that works with EU residents’ personal data in any manner, irrespective of location, has obligations to protect the data.

Who and what does GDPR apply to?

GDPR affects any company, organization, or government agency that collects or processes the information relating to an identified or identifiable individual residents of the EU. This includes organizations operating within the EU, organizations outside the EU that offer goods and services to EU residents, or organizations that monitor EU residents. This includes personal data such as: name, identification number, location data, or online identifier, as well as special categories of personal data such as: religious affiliation, medical and genetic data, and biometric data that when processed to uniquely identify an individual. GDPR does not apply to certain activities covered under law enforcement, national security, and processing carried out by individuals purely for personal or household activities.

What is required under GDPR, and how does that differ from existing privacy laws?

GDPR builds upon existing EU privacy and data protection law, and Article 5 of the GDPR sets out the six principles of data protection. The controller of the personal data is responsible for complying with these principles and will be required to demonstrate compliance. These principles require that personal data is:

1. processed lawfully, fairly and in a transparent manner;
2. used for the purpose for which it was collected (and that such purpose is expressly specified and legitimate);
3. relevant and limited to what is necessary in relation to the purposes for which they are processed;
4. accurate and, where necessary, kept up to date;
5. stored for no longer than is necessary for the purpose for which the personal data is processed; and
6. processed in a manner than protects the security and confidentiality of the personal data.

When compared to the European Directive 95/46/EC, new requirements under GDPR:

• Increased territorial scope

Previous privacy directives were considered ambiguous, but GDPR clearly states that it applies to all companies processing the personal data of data subjects residing in the EU, regardless of the company’s location.

• Individual rights for data subjects

GDPR includes a number of individual rights in order to empower data subjects, such as a right to access, a right to be forgotten, a right to data portability, and a right to correct or rectify personal data.

• Data breach notification

GDPR provides for strict data breach notification timelines requiring that the Supervisory Authority generally be notified within 72 hours. GDPR also requires that customers and controllers be notified of a data breach “without undue delay.”

• Privacy by design

GDPR calls for the inclusion of appropriate technical and organizational data protection measures at the beginning and throughout the system design process.

• Strict penalties for non-compliance

GDPR provides a tiered approach to fines for breach of data protection requirements, with the maximum being up to 4% of annual global turnover or €20 Million (whichever is greater).

We have three main areas of focus in preparing for GDPR:

1. Enhancing data integrity and security – We’re enhancing our existing security and business continuity management policies, processes and controls, including privacy by design, to ensure GDPR compliance, including the use of industry-leading and security-certified cloud infrastructure providers and data centers with a high level of security, data confidentiality, integrity, and availability. We’ve implemented an organizational privacy by design to help ensure the protection of the rights of data subjects and customers. Our processing of data and security architecture have been thoroughly analyzed to account for a variety of factors, including the sensitivity of our data, the risks to individuals associated with any security breach, state of the art technologies, and the nature of our processing activities. We’ve documented the legal basis for each data processing activity as well as technical and organization measures in place to ensure that our services meet all GDPR requirements. Regular internal and external testing of the effectiveness of our security measures and processes is a continuous process, and, in the event that a breach does occur, GDC can promptly report any detected breach to the established EU authorities.
2. Product improvements – We’re implemented technology modifications to align with GDPR requirements for our business and for our products, plus adding new technologies to better support these GDPR obligations. We’ve also created procedures enabling data subjects and customers to submit requests to exercise their rights under the GDPR, including consent management and opt-in/opt-out tools, and access controls that address personal data access, transparency, rectification, erasure, restriction of processing and automated decision making, portability and objection. We’ve made these changes without compromising on product performance so that we can provide better transparency to data subjects and our customers.
3. Providing visibility, awareness and transparency – We’re implementing new processes for how we collect, use, and process data. This includes providing our customers and data subjects with information to more easily understand what data is being captured and processed, and ensuring that all personal data is handled in accordance with GDPR standards through appropriate terms with our data suppliers, resellers, customers and service providers. We’re also investing in resources for the training our staff, partners and customers on GDPR regulations and compliance obligations to ensure that our services remain GDPR compliant.

Copyright Global Data Consortium 2018. This page is provided as of May 14, 2018, for informational purposes only and not to be relied on for any reason. It is subject to change without notice.