The countdown to the EU General Data Protection Regulation (GDPR) is here, with enforcement taking place next year, on 25 May 2018. The EU GDPR is arguably the most important change in data privacy regulation in 20 years. Perhaps the most important change to the regulation is the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of subjects residing in the EU, regardless of the company’s location. GDPR was designed to protect and empower data privacy for all EU citizens and reshape the way organizations approach data privacy. With the GDPR impacting healthcare organizations around the globe, we thought it would be a good idea to cover some of the key changes and what it will mean for your organization. Here they are below:
Businesses and organizations will be subject to fines up to 4% of annual global turnover or €20m (whichever is greater). This is the maximum penalty for the most serious violations such as not having sufficient consumer consent prior to processing data.
Organizations collecting consumer data will now face stricter guidelines when asking for consent to process data. With the new regulation in place, consent must be given in an intelligible and easily accessible manner, using clear and plain language such that there is no question about what consumers are agreeing to.
Breach notifications for controllers will be mandatory under GDPR within 72 hours in all states where a data breach is likely to “result in a risk for the rights and freedoms of individuals.” In addition, data processors, the entity that processes on behalf of the data controllers, must notify controllers “without undue delay” after first becoming aware of the breach.
Right to Access
With the expansion of GDPR, consumers will have the right to obtain confirmation from data controllers about whether or not data about them is being processed, where, and for what purpose. According to EUGDPR.org, the data controller is the entity that determines the purposes, conditions and means of the processing of personal data. Copies of personal data must be provided by the controller, free of charge, in an electronic format.
The regulation will take effect and enforced on 25 May 2018 for all businesses and organizations worldwide that handle European customer data.
What will this mean for you? Be prepared to establish clear procedures around the legal basis for gathering data. Consumers will have the right to ask for access to data held on them, and have it changed or erased based upon the legal basis upon which the data was processed. Ultimately, firms will need to reinterpret how they communicate with customers, how they gather data and how they organize that data into an effective audit trail.
Find out how SolarWinds can help manage your toughest IT problems today.