GDPR Compliance with Leadature
Take advantage of Leadature product releases to prepare for the General Data Protection Regulation (GDPR). GDPR requirements go into effect in May 2018. Is your organization ready for GDPR?
Background – what is GDPR?
The General Data Protection Regulation (GDPR) is a European Union (EU) regulation, which replaces the Data Protection Directive 95/46/EC. The GDPR is intended to harmonize the patchwork of data privacy laws across its member states. The objective of GDPR is to protect all EU residents from privacy and data breaches in an increasingly data-driven world. The GDPR seeks to accomplish its objective by providing certain rights and freedoms to EU residents in relation to the processing of their personal data.
When Does it Matter?
The GDPR goes into effect 2018-05-25. But don’t wait, the systems required to be compliant can be complex to implement.
The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.
The rules apply to companies handling personal data of EU residents, regardless of where the company operates, or the data is stored.
“The GDPR not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.”
Consent and Record Keeping
The GDPR requires explicit consent for specific use of personal data. “Opt-out” or “opt-in by default” strategies are not compliant. For each specific use (e.g. to send marketing email) of the personal data, the end user must specifically agree (e.g. check a box that was previously not checked) to that use. A mechanism must be provided for the end user to retract consent for each specific use in the future. A record must be kept of any consent given or retracted such that the current state of each specific type of consent is verified before each future use of the data.
Clear Privacy Notice
Any organization that collects personal data of any type about an EU citizen and any organization that uses personal data in any form must adhere to these guidelines.
1. Concise, transparent, intelligible and easily accessible and viewable IN CONTEXT of the Opt-In agreement.
2. Written in clear and plain language
3. Explain WHAT data is being stored
4. Explain WHO is able to access the data in any way
5. Explain HOW the data will be used
6. Offer the ability to REQUEST DELETION
7. Be free of charge
The rules are straightforward in that for any EU citizen, INFORMED CONSENT must be gained specifically (not by default)
This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
Data Privacy & Retention
Privacy is maintained via data minimization (keeping only the data required, and retaining only as long as required, to fulfill processing tasks) and access restriction (only allowing data access as required to facilitate processing).
Mechanisms must be provided such that the end user can:
1. Find out if their personal data is being retained
2. Receive a copy of any personal data that is being retained, free of charge
3. Request that their personal data be completely erased with verification that the erasure has taken place.