On May 25, 2018, the most significant piece of European data protection legislation in 20 years will enter into force. The landmark EU General Data Protection Regulation (GDPR) replaces the 1995 EU Data Protection Act (DPA) to strengthen the privacy rights granted to EU individuals. The legislation places many new obligations on organizations that market to, track or handle EU personal data, regardless of where an organization is located. Are you ready to meet the challenges posed by these new laws?
While hopefully you have enough of a solution duct-taped together to get you to the GDPR starting line, we want to take a look at what happens after the deadline arrives. The Mitratech GDPR Resource Hub is designed to help you build towards a long term GDPR
compliance solution. A GDPR solution that not only sets you up for successful, hassle-free compliance, but also improves your compliance program's efficiency and effectiveness so you can get back to focusing on what your business does best.
This Resource Hub is meant to serve you in several different ways. First, we want to provide as much information as possible on what the GDPR entails and how it can potentially affect your company or organization. Second, we want to let everyone know what Mitratech is doing to comply with GDPR regulations. Finally, we want to guide and direct you to the best technology solutions to ensure you are fully GDPR compliant.
At Mitratech, our history proves our dedication to protecting and securing internal stakeholder data. We were an early adopter of the EU/U.S. Privacy Shield framework, which provided a mechanism to comply with EU data protection requirements when transferring data from the EU to the U.S. Each year, we update our SOC2 Type 2 certification and re-evaluate our robust privacy policies and industry best practices. As a leader in providing policy management and content management solutions to our clients, you can count on Mitratech’s full commitment to strive for GDPR compliance across our products and services.
We continue to update our processes and streamline data protection requirements across the EU to further deepen our commitment to data privacy and protection.
The GDPR acronym stands for General Data Protection Regulation. It is one of the most stringent and powerful personal data regulations giving EU citizens more privacy, protection, access and control of their own personal data while holding companies much more accountable for managing consumer personal data. This new data protection regulation is set to go into effect on May 25, 2018. The GDPR imposes new rules on companies, government agencies, non-profits and other organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents.
The General Data Protection Regulation governs the collection, storage, transfer and use of personally identifiable information originating from the EU or belonging to an EU individual. “Personally Identifiable Information” refers to data that can be used to distinguish or trace one’s identity, either alone or when combined with other information. Any organization that handles personal data of EU individuals in any form is within the scope of the law.
The GDPR not only applies to organizations located within the EU, it also applies to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the EU, regardless of the company's location.
Personal data means any information related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information or a computer IP address.
Here are the top ways the GDPR will affect EU citizens:
Right to access
EU citizens will have the right to get detailed information about where their data is being processed and specifically for what purpose their personal information may be used for.
Right to be forgotten
Under GDPR, company controllers must erase all personal data “without undue delay” if an EU citizen’s data is no longer needed or if the citizen simply objects to a company having their information.
Citizens will have the right to request and receive any personal data in a commonly used and “machine-readable” format, and if feasible, a company may even be required to transmit a citizen’s data directly to a competitor.
Under GDPR, if a breach has occurred the controller has 72 hours to inform citizens of the breach. Companies will have to have a documented notification plan in place that ensures citizens are notified within 72 hours of a breach instead of being notified weeks or even months later.
GDPR increases the number of disclosures a company must make before they’re even allowed to collect any personal data from citizens. Included in these disclosures are the identity of the controller, the purpose of collecting and using your data and identifying any and all recipients of your data.
There is also a tiered approach to fines. For example, a company can be fined two percent for not having their records in order (article 28), for not notifying the supervising authority and data subject about a breach or for not conducting impact assessment. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement.
GDPR will require organizations to map and classify all their personal data, perform risk assessments, design privacy protections into all new business operations and practices, employ dedicated protection officers, monitor and audit compliance and document everything they do with data and everything they do to achieve legal compliance.
GDPR will also require firms to reconsider how they engage with people, including their contracting and permission processes and how they give clear and full information on what is happening to personal data.
No, the GDPR does not require EU personal data to stay in the EU, nor does it place any new restrictions on transfers of personal data outside the EU. The GDPR sets forth certain conditions for the transfer of personal data outside the EU, and such conditions can be met via mechanisms such as model contract clauses.
Parental consent will be required to process the personal data of children under the age of 16 for online services. Ember states may legislate for a lower age of consent but this will not fall below the age of 13.
DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring or (c) organizations that engage in large scale processing of sensitive personal data (Article 37). If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.
Proposed regulations surrounding data breaches primarily relate to the notification policies of companies that have been breached. Data breaches that may pose a risk to individuals must notify the DPA within 72 hours and notify individuals without undue delay.
The discussions surrounding the one-stop-shop principle are among the most highly debated and are still unclear as the standing positions are highly varied. The Commission text has a fairly simple and concise ruling in favor of the principle. The Parliament also promotes a lead DPA and adds more involvement from other concerned DPAs. The Council’s view waters down the ability of the lead DPA even further. A more in depth analysis of the one-stop-shop policy debate can be found here.
Global Data Privacy Frameworks
Join certified compliance expert and author Robert Bond in this one hour webinar. Pulling from 40 years of experience, Bond covers:
• 8 Key GDPR Principles
• . New global privacy & security frameworks
• . How GDPR can impact your business
Looking for product technology solutions to ensure your company becomes GDPR compliant? The GDPR has many complex regulatory layers and requirements. Trying to figure out all those nuances can feel overwhelming. At Mitratech, we can help you determine whether you have the necessary compliance solutions in place to conquer these GDPR hurdles with ease.
To help you build your own GDPR implementation plan and figure out what technology solutions you might need to ensure compliance, we broke the new regulations down into 11 different topical groupings. Under each grouping, we include links to the specific articles that apply to each group. We hope this helps provide a clear, easy-to-follow roadmap for how you can streamline the efficiency and reduce the complexity of your GDPR implementation plan.
Read the article mapping below and feel free to contact us with any questions. A Mitratech representative will be happy to help connect you with our specific products and services that can help you become GDPR compliant.
Mitratech can help implement solutions tailored to your company's needs to make
complying with GDPR easy. Our solutions can improve efficiency and keep you compliant for the long haul.
Connect with a Mitratech representative today to find out more.
For help with your GDPR implementation plan, more information about our GDPR
technology solutions or if you'd like to view a product demonstration, fill out the form to
have one of our consultants contact you.