The GDPR is without a doubt one of the most discussed topics of discussion in companies around the globe in 2018. With the deadline approaching—GDPR will officially go into effect on May 25, 2018—we know that you may still have questions around this EU Regulation:
● What is the GDPR?
● When will the GDPR take effect?
● How did we get there?
● And even, What are some of the GDPR Requirements and Sanctions?
DISCLAIMER: The following post is informational in nature and is not to be considered as legal advice nor suggestion for a legal understanding of the Regulation.
WHAT IS THE GDPR?
The European General Data Protection Regulation (also known as GDPR) is a European Union law that concerns the privacy related to the data of all European citizens. It will take effect on May 25, 2018 and it will impact all companies that gather, store, process and manage data on EU citizens.
HOW DID WE GET THERE: A LITTLE BIT OF GDPR HISTORY
The GDPR as we know it today isn’t the first attempt to regulate data privacy. A set of recommendations have been present and shared in many countries since the 1980s. The OECD (Organization for Economic Co-operation and Development) proposed its guidelines almost 30 years ago focusing on the following principles:
1. Collection Limitation Principle
Limits to the collection of data that has been obtained under lawful and fair means with the knowledge and consent of the subject.
2. Data Quality Principle
The personal data obtained should be relevant to the purpose for which it was gathered.
3. Purpose Specification Principle
The purpose of the data gathered should be clear at the time of its collection.
4. Use Limitation Principle
The data gathered should not be used for a different purpose without the subject’s consent.
5. Security Safeguards Principle
The data obtained should be kept secure from any loss or misuse.
6. Openness Principle
Subjects should have easy access to their personal information stored by the parties using it.
7. Individual Participation Principle
Subjects should have the right to know if a controller was holding their data, with also the right to ask for its modification or deletion.
8. Accountability Principle
The organizations that gather and store the subjects’ data should be accountable for complying with the points above.
These eight points established a pretty good infrastructure for the data privacy. However, since these elements weren’t mandatory, EU countries created their own laws to protect the privacy of their citizens. The GDPR was born out of a wish to harmonize these laws, not as a simple set of suggestions, but as a regulation that is now a common law within all EU member states. In addition to its purpose to protect the privacy of its citizens, the EU GDPR focuses its attention also on the transfer of personal data to “third countries” and wants to update its values to reply accordingly to modern technologies.
A GDPR OVERVIEW
The EU GDPR entered into force in 2016 and it will become fully operational on May 25, 2018.
The EU General Data Protection Regulation concern most every company that gathers, stores, processes and manages the personal data of EU citizens. This includes, for example, names, addresses, IDs, IP addresses, locations, and even biometrical, health, sexual and political information. There is a limit related to company size, as mentioned the last part of Article 30:
“The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organization employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.”
However, even if a company has fewer than 250 employees, if the data it stores falls under the description above, it must comply with the GDPR Regulation—that’s why we can say that GDPR will concern almost every company.
The GDPR points to (and permits) the storage of personal data only with the subject consent, for the time and for the purpose for which the data has been gathered. This means that after a subject’s request, the data must be modified or deleted. If the data is transferred and (to another country or to an international organization) the subject has the right to be informed.
The GDPR emphasizes security, because even if it understands that an organization’s systems can be hacked, it specifies the time and processes that should follow the eventual breach. So, under GDPR, organizations must have policies, procedures and processes in place to protect personal data in the event of any possible breach. That’s why it is fundamental for every business to have (and establish) a clear idea of the data available, the responsibilities of all parties and data-flows that might be involved in the event of an attack.
The rules and security measures do not impact only on the company that processes the personal data of EU citizens, but also the third parties that process this data on behalf of the company. For example: if you have a partner, a vendor or a suppler with whom you share the personal data of EU subjects, these “processors,” as they are called within GDPR, must meet the same EU Regulation requirements for privacy and security. Moreover, if cooperation with a processor comes to an end, you must be sure that it deletes, or returns to you, all the personal data for which you are responsible (unless differently required by EU laws) as stated in Article 28.
Non-compliance with the General Data Protection Regulation can result in expensive fines. Even if every non-compliant case will be treated individually and jugged depending on the nature, the gravity, the duration and the eventual intentional neglect or infringement of the regulation, the sanctions can reach, or even exceed, €20 million. Quoting from Article 83:
“Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.”
HOW COGITO CAN HELP YOU
As we have seen in this very simple GDPR overview, this regulation covers so many topics, each with so many details, that will require a lot of time and expense for compliance. It also requires that companies maintain every piece of information, keeping it organized and monitored for years to come. That’s why it is important to have at your disposal tools able to easily manage enormous quantities of structured and unstructured data like Cogito.
The Artificial Intelligence of Cogito can analyse content and capture its meaning in context, identifying the personal data contained within. Its capabilities include generating specific reports for decision makers so that they can quickly respond in terms of the guidelines and processes. This is crucial in helping companies meet the GDPR’s compliance requirements. Expert System is currently working with many organizations in the Banking & Insurance sector to support Data Protection Officers and the numerous partners that deliver multi-discipline projects (legal vendors, system integrators, consulting firms) in their compliance efforts.
[su_button url=”https://expert.ai/contacts/” style=”glass” background=”#003f7d” color=”#ffffff” size=”9″ wide=”no” center=”yes” radius=”0″ icon=”icon: pencil” icon_color=”0000″ text_shadow=”0px 0px 0px #000000″ class=”freeleft”]Contact Us![/su_button]