Here are some common questions about GDPR.
What is GDPR?
The GDPR (General Data Protection Regulation) is new EU legislation that is designed to protect the data rights of its citizens which goes into effect May 25, 2018.
To whom does GDPR apply?
It covers all EU member state citizens (i.e. “data subjects”) that submit personal data, either electronic or paper-based, to other parties either directly (e.g. completing a form) or indirectly (e.g. purchase tracking information).
So, does GDPR affect businesses outside of the EU?
As long as the data subject submits their information from within the borders of an EU member state, GDPR applies to the organization(s) collecting the data regardless of their location (ie inside or outside of EU).
Does GDPR affect data ownership?
GDPR shifts ownership of the data subject’s personal information from the organization(s) collecting it back to the individual.
What kinds of information fall under GDPR protection?
Any personally identifiable information (PII), including but not limited to: first and last names, email address, IP address; is considered protected under GDPR.
Will my business or organization need to change current practices?
Stringent and extensive measures must be put into place by data collectors (i.e. “Controllers” and “Processors”) to safeguard the personal information collected from data subjects; not only technically but organizationally.
What are the penalties if I am not compliant with GDPR?
Failure to comply with GDPR can result in financial penalties of €20M or 4% revenue, whichever is greater.
How do I know if my business or organization is subject to GDPR?
Any organization that collects or receives information directly from or about a citizen of the EU, sourced from within the EU, is subject to GDPR.
What is a "Controller?"
A “Controller” is defined as the front-facing organization to which the data subject provides their information (e.g. an employer, a credit card company).
What is a "Processor?"
A “Processor” is defined as an organization that may be contractually enlisted by a Controller to fulfill all of the technical handling and processing of a data subject’s information (e.g. a medium-sized sales site using Amazon AWS as a backend hosting provider).
So, who is responsible for GDPR compliance? Controllers or Processors?
Controllers and Processors equally share responsibility in compliance with GDPR.
How do I ensure that an affiliated Controller or Processor is compliant?
Legally binding contractual agreements must exist between Controllers and Processors which clearly define their roles and commitment to GDPR compliance.
What if I am a third party with access to EU subject information?
Any third-parties who receive EU data subject information (e.g. an organization procuring a sales mailing list from the primary Controller) is also subject to the terms of GDPR.
What Do I
Need To Do?
I am a Controller, or a Processor: what steps should I take?
- 1Conduct data flow analyses to determine all systems and personnel that have access to GDPR data
- 2Conduct risk analysis for every identified system and person (role) to identify effective mitigation strategies to protect the data
- 3Establish code of conduct to which all personnel must abide for data protection
- 4Employ all possible technical and logical safeguards using current technologies as “reasonably” possible to implement
- 5Provide mechanisms for data subjects to receive copies of their personal data in common exchangeable format,
- 6Support requests from a data subject to remove their information from ALL locations and systems including historic backups,
- 7Notify any third-party recipients of GDPR-protected data that a removal request has been received from a data subject,
- 8Service complaints from data subjects in a timely manner and agree to binding arbitration by GDPR-sanctioned bodies,
- 9Notify affected individuals of a data breach within 72 hours of discovery,
- 10Review and amend any contracts or agreements with parties working with controllers or processors to reflect terms and conditions of GDPR.
- 11Conduct research, review legislation, and/or obtain outside resources to assist (legal and technical)