7twenty prepares its customers to GDPR!
The European Commission has adopted the General Data Protection Regulation (GDPR). This new legislation is the most impactful change in privacy and Data Protection regulation of the last decades.
This regulation came about after more than four years of deliberations and negotiations and will affect organizations worldwide. The GDPR requires fundamental changes to how organizations approach Data Protection.
The European Parliament and Council formally adopted the regulation in May 2016.
The new rules will become applicable two years thereafter. This means that from May 2018 onwards,
your organization needs to be in full compliance with the new rules of the GDPR. Since certain
provisions of the GDPR will require substantial changes in your organization: The time to act is now!
7twenty is completely ready to share its knowledge with our customer and with our prospects and being well prepared to meet the EU regulations.
How Does It Impact Organizations?
Until recently, Data Protection regulation in the EU received only limited attention. Fines for breach of regulations were limited and enforcement actions infrequent. With the GDPR, this will change. Three factors attribute to this.
Real reputational risk
Enforcement activities by Data Protection regulators will increase. Data Protection breaches will hence be brought to light sooner. The risk of reputational consequences will therefore become all the more real.
Large geographic reach
With the GDPR, the geographic reach of the legislation is increased to ‘all organizations offering goods or services to EU citizens’ and ‘organizations that monitor the (online) behaviour of EU citizens’.
This means that your organization might now be in scope of the EU Data Protection regulation, where it was not the case before.
Failure to implement one or more Data Protection requirements adequately, will lead to very significant fines. The GDPR introduces fines that can amount to 20 million EUR or 4% of global annual turnover, whichever is higher. This is a big and serious change compared to the limited sanctioning possibility under the old regime. Hence, adequate implementation of Data Protection requirements within your organization is now more important than ever.
What are the fundamental changes
The GDPR introduces a number of new legislative requirements. A few of the most important ones are briefly described below:
Data Protection by Design and Default.
Under the old Data Protection regime, organizations were already required to have ‘appropriate technical and organizational measures’ to protect personal data. Under the GDPR, organizations must now demonstrate that measures are continuously reviewed and updated.
- Additionally, organizations must now demonstrate that the appropriate measures are included in the design of processing operations and that by default, personal data are only processed where necessary.
Data Protection Impact Assessment (DPIA)
- Under the GDPR, organizations should carry out a DPIA on the envisaged processing operations, where processing is likely to lead to high privacy risks.
- If the result of the DPIA shows a high inherent risk, the Data Protection supervisory authority needs to be consulted prior to processing.
Mandatory Data Protection Officer (DPO)
- Under the GDPR the appointment of a DPO is mandatory in a number of situations.
- The DPO must possess expert knowledge of Data Protection law and practices and should be sufficiently independent in the performance of its role.
- The DPO role may be carried out by a service organization.
Data Breach Notification obligation
- The GDPR introduces the obligation for data breach notifications for every organization.
- Organizations should notify the supervisory authority within 72 hours in case of a data breach requiring notification.
- Personal data breaches need not be reported if the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals.
- In case of a data breach with high privacy risks, the data subjects should also be informed
In addition to the new requirements that are described above, many Data Protection requirements that existed under the old regime stay in effect in a similar or amended form (e.g. limitations on cross-border data transfer, requirements on consent, requirements related to access rights of data subjects, etc.). The GDPR demands from organizations to implement adequate and tailored Data Protection control frameworks and risk management. Mere policy updates for Data Protection compliance will not suffice. Data protection processes and controls need to be in place. The GDPR demands auditable Data Protection.