GDPR and who it applies to
Brendan McPhillips – founder, co-owner and senior account manager at Asystec has worked in the IT industry for 25+ years. His current focus is in the Data Governance space, specifically in giving his customers automation in terms of reporting of access, activity and content of structured and semi-structured data repositories.
General data protection regulation applies to all companies worldwide that process the personal data of EU citizens. The introduction of GDPR to the worldwide market is the extension of EU regulation to every company that processes EU citizen’s data. Now, any company that deals with information pertaining to EU persons must comply with the requirements of GDPR, making GDPR the first global protection law. This will result in countries like the US having to conform to EU regulation when collecting data from its citizens. In the past conglomerates tried to bypass GDPR rules by locating their main processing units outside the affected zones but this approach won’t be viable following the incoming regulation changes.
The new GDPR laws are widening the definition of personal data protection. This means that while companies may not have had to comply before, they may have to under new regulation. The new GDPR considers any data that can be used to identity an individual as personal data; this results in almost all companies having to comply in some way with the requirements. Privacy by design is the order of the day with the new GDPR regulations asking companies to have software, systems and processes capable of meeting the new standards. This software must be capable of not only holding data but erasing it on demand which is not a common feature in current modes. This will pose a challenge to software engineers and businesses alike, along with the overall of challenge of complying with the demands of the new and improved systems.
One of the biggest challenges posed by the improved regulations it that of valid consent. Organisations need to ensure that they use simple and understandable language when requesting the collection of personal data. GDPR now requires all organisations to be able to prove clear and affirmative consent to process personal data. Current requests for the use of personal data will not meet the new GDPR regulations, companies will have to educate themselves on the new laws so as to adhere to the regulations. In the future, it will be imperative that organisations can explain exactly what personal data they are collecting and processing, and to what purpose.
Another significant change is the introduction of the right to be forgotten. The new GDPR will oversee the establishment of very restrictive and enforceable data handling principles. The result of this requires organisations not to hold data for any longer than absolutely necessary, and inhibits the changing of the purpose of the information from the original intent. This will result in organisations needing to get additional consent for any change made to the use of the data. This also means that companies will need to have the required structures in place to delete personal data upon the request of a data subject.
With the new GDPR comes the expanse of liability to companies from data controllers. Previously only data controllers were considered responsible for the processing of personal data but under the introduction of GDPR every organisation that touches personal data will be obliged to comply. This GDPR also covers any company that acts as a service provider dealing with personal data, so any interaction with this data will be subject to the regulations.
The benefits for businesses is that they only must deal with one supervisory authority rather than a different one for each European country. This will make it simpler and cheaper or organisations while concurrently EU citizens will maintain the right to approach any data protection authority of their choice to lodge complaints.
GDPR will come into effect on the 25 May 2018 allowing companies a two year transition period. For companies that will be affect by GDPR it’s recommended to started the changeover as soon as possible.