The GDPR is coming. Are you ready? Check out the FAQs below to learn more about this new legislation that will impact data privacy and corporate obligations in the EU and beyond.
What is the GDPR and when does it take effect?
The GDPR, or the General Data Protection Regulation, is designed to protect the privacy of EU citizens; enforce standardised data privacy laws across the EU; and reshape the way organisations in the EU and beyond process and manage personal data. The GDPR replaces the EU Data Protection Directive of 1995 and will go into effect in May 2018.
Does GDPR apply only to companies in the EU?
No; any organisation that collects or processes personal data of individuals in the EU or that offers goods or services to individuals in the EU is subject to the GDPR.
Is the GDPR specific to a certain industry? Does it apply to cloud or on-premises data storage?
The GDPR is not industry-specific and applies to both cloud and on-premises data processing and storage practices.
What are some of the key terms of GDPR, and how do these apply to organisations?
Personal data Any data related to an identified or identifiable person. This includes identifiers such as name, an identification number, location data, an online identifier, or any factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Controller A person, entity or public authority that determines the purposes and methods of processing personal data
Data subject A person whose personal data is processed by or on behalf of a controller
Processor A person, entity or public authority that processes personal data on behalf of a controller
What are the main requirements of the GDPR?
GDPR requirements can be traced back to seven principles of processing outlined in the regulation. These principles all seek to protect the privacy of individuals in the EU:
Lawfulness, fairness and transparency: Organisations must conduct data processing in a lawful, fair and transparent manner.
Purpose Limitation: Organisations may process data only for the purpose for which it was collected and communicated to a data subject.
Data Minimisation: In processing, the minimal amount of data should be collected to achieve the stated objectives.
Data Accuracy: Collected data should remain accurate for as long as it’s with the controller, and inaccurate data should either be removed or rectified.
Storage Limitation: Organisations should store data for only as long as necessary.
Integrity and Confidentiality: Processing should be done in a manner that appropriately protects the data using technical and organisational safeguards and preventing unauthorised or accidental disclosure or damage.
Accountability: The controller maintains primary responsibility for ensuring these principles are met, including when they are delegated to a processor
What’s the impact of noncompliance with GDPR?
Organisations that don’t take appropriate steps to protect personal data under the GDPR may face fines of up to 20 million Euros, or 4% of their total worldwide annual turnover. These fines are in addition to any compensation they may owe to individuals. Other potential impacts could include suspension or limitation on data flows, public reprimand and reputational damage.
Are there specific technologies, processes or systems dictated by the GDPR?
No; while establishing an extensive set of standards and requirements, the GDPR does not specify certain technologies, processes or systems. Companies can choose the technical and organisational measures they use to comply with the regulation.
How can OnBase help you meet your GDPR compliance objectives?
Organisations can use the OnBase enterprise information platform to create solutions that support their GDPR compliance initiatives. A variety of out-of-the-box functionality, flexible configuration options and built-in security controls offer the agility needed to help navigate the changing data privacy landscape. Click here to learn more.