The European Union foresees that the application of the GDPR will suppose sanctions of up to twenty million euros or 4% of turnover of the previous period for non-compliance. Now that we are in the final stretch, it is convenient to determine whether our company is prepared to meet the challenges. Can you respond to this 7 questions? Data Control will help you to comply with the GDPR.
1- Who are the main entities and agents affected by the GDPR?
The Data Protection Control Authority (DPA). Independent public authority established by a Member State to enforce local legislation.
Processing supervisor. Natural or legal person, public authority, service or any other body that treats personal data on behalf of the controller. The manager does not determine the purpose and the means of treatment. They only process the data as requested by the controller.
Controller or processor. The person or department responsible for defining what personal data the company needs and for what purpose. Then, the company requests the data from people (employees, customers, general public, etc.). A simple example could be a webpage that asks for your name and address to send you a package. The company that requests the information and establishes to what purpose it will be used is responsible for the data.
2- What will happen to the Data Protection Laws of Member States?
The regulation does not repeal them nor can they be repealed, as they are attributable to each Member State. The regulation causes the normative displacement of Member State Laws in anything that is in conflict with the European regulation. But these laws will remain in vigor until they can be completely repealed or modified to adapt them to the GDPR. Consequently, it will be necessary to take into account both the GDPR and Member State law. When there is conflict between one and the other, then the one dictated by the GDPR will apply above the Member State Law.
3– Should companies review their privacy notices?
The short answer: yes. In the information provided to interested parties, the regulation provides for the inclusion of issues which were not necessarily mandatory according to the regulation and many overlapping national laws. For example, it will be necessary to explain the legal basis for the processing of data, define its retention period, and advise interested parties that they can address their complaints to the Data Protection Authorities if they believe there is a problem with how their data is being handled. It is important to remember that the regulation expressly requires that the information provided be easy to understand and be presented in clear and concise language.
4– Does it change the way consent is to be obtained?
5– Can I outsource or divide up DPO responsabilites?
The regulation establishes that a business group may appoint a single DPO as long as he or she is easily accessible from each establishment. If you decide to outsource your DPO it would be necessary to establish a service level agreement (SLA) to ensure that you can comply with the GDPR. Compliance is achieved not only by checking the DPO checkbox, but also by having a DPO who can respond to the various requests of interested parties at any time.
6– When, how, and to whom do I report a security incident?
A security incident should be notified whenever it affects the personal data of natural persons, whether an incident results in loss or theft or if it is simply accessed. If the incident is not reported promptly, it can result in fines of up to 20 million euros or 4% of its annual turnover.
To whom? It is important to keep in mind is that there are two different thresholds, one for notifying customers or the general public, and another for alerting the DPA.
– If the personal data accessed includes any identifier, for example, email addresses, online account ID or IP, it will be necessary to notify the affected natural persons
– If the data contains monetary information – bank account numbers or other financial identifiers – then the incident is likely to harm the individual and the DPA must be notified
How? In addition to describing the nature of the incident, the notification should mention the types of data, the number of individuals, and the number of records exposed. The company should describe the possible consequences of non-compliance, as well as any mitigating efforts that need to be made.
What’s the deadline? The notification to the DPA should be issued within 72 hours after the incident.
7– Should companies start implementing the measures provided for in the regulation right away?
Not necessarily. The regulation is in effect, but will not be applicable until May 25, 2018. However, it may be useful for companies to start assessing the implementation of some of the foreseeable measures: perform risk analysis of your data systems, starting by identifying the type of processing they carry out; establish data processing records or implement impact assessments or any other foreseeable measures. Also design and implement procedures to adequately notify authorities or interested parties of any security incidents that may occur.
Luckily we have tools such as Panda Adaptive Defense , which have a Data Control module to help with such tasks. This tool is specialized in simplifying the management of this personal data since it discovers, audits and monitors in real time the complete life cycle of these files. And do not forget that keeping up with the GDPR is an active and meticulous process, but one which can be simplified and automated if with the right help.