New data privacy laws are coming into effect on May 25, 2018.
This is the age of technology; so much has changed and privacy is no longer what we expect it to be. Enter a new wave of public policies and regulations. One of these is the General Data Protection Regulation (GDPR), which is said to be one of the most important changes in data privacy ruling this century. It has been in the works for four years and was recently approved by the European Union (EU) in April 2016.
Enforcement is expected to start on May 25, 2018. Although this is primarily a European change, many North American workers will be directly or indirectly affected.
What exactly is GDPR? According to the official GDPR site, it is “designed to harmonize data privacy laws, across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach privacy”.
In other words, it seeks to tighten the rules around business use of their client’s personal data and information both within corresponding EU states and exporting data outside of the EU.
What Does this Mean Legally?
Arguably the biggest change is concerned with the location of data subjects, or the individual identity behind a client’s personal data.
This means that companies will only be allowed to store personal data after the owner of the data consents to its storage. The data must be made portable from one company to another with the freedom to be erased upon request.
The conditions of consent are also strengthened with the application of GDPR. Rather than terms of consent being laid out in ways that are complex and likely to be overlooked, the GDPR calls for all consent terms to be easily distinguishable and clearly laid out.
Many of the changes also have to do with updating data subject rights, including the following:
- Data Portability: users of the data processing services applicable to the GDPR have a right to receive their personal data.
- Breach Notification: when a data breach is at risk, businesses in possession of the data are held accountable for notifying relevant subjects.
Additionally, there will be a change in the repercussions if a breach in the GDPR is seen. Breaching GDPR compliance could result in a 4% annual turnover fine which is equivalent to 20 million euros!
What Does this Mean Practically?
The GDPR is affecting business both inside and outside of Europe. According to the Global Legal Post, “the regulation will apply to any organization, anywhere in the world that processes the personal data of European Union (EU) citizens”.
Concerning the actual cost of these changes, according to Michael Nadeau of CSO online, 68% of US-based companies expect to spend $1-10 million USD to meet GDPR requirements.
Additionally, Canada’s own Personal Information Protection and Electronic Documents Act (PIPEDA) will likely be updated in order to comply with the GDPR PIPEDA currently allows for the ease of flow of information from countries in the EU to Canada.
As of now, PIPEDA has an “adequate” status from the European Commission, meaning that it somewhat matches up with GDPR. PIPDEA’s “adequacy” has been up for debate, though, since the announcement of GDPR.
So, what could change in PIPDEA as a result of GDPR? Many of the changes listed above are also applicable to Canadians, including updates to breach notification protocol, penalties, and updates on the national security level (this would require a solution at an international level).
Although this may lead to much stricter laws, it is primarily being done in an effort to protect the personal data of individuals, as well as to allow ease of the movement of data from one country to another.
What Can You Do to Ensure your Firm is GDPR Compliant?
There are a variety of methods that you can use to prepare your firm to ensure GDPR compliance:
- Create a data protection plan – Implement a data protection plan in your environment to ensure your firm follows the correct procedures for saving data. If you already have a plan in place, review its parameters to ensure your firm is not at a compliance risk.
- Conduct an assessment – Measure the amount of risk your firm poses to data owned by EU citizens. Taking the time to assess your infrastructure will allow you to see if there are any holes in the organization and help you to draft an action plan to correct them.
- Establish and test a response plan for breaches – Reduce the risk of hefty fines by running through your firm’s plan of action should a data breach occur. GDPR requires a firm report a breach within 72 hours.
Overall, though these changes might sound quite daunting and complex, it is all done in the interest of security and furthering the security of data on a national and global scale.
For those of concerned about your personal and professional data, Triella offers a variety of security and protection based products and solutions that can help to secure your infrastructure and make your information GDPR compliant.
Please give us a call at 647-426-1004 or email at email@example.com to discuss further.
Additional information can be found at:
Banks, T. (2017, May 2). GDPR matchup: Canada’s Personal Information Protection and Electronic Documents Act. iapp. Retrieved from https://iapp.org/news/a/matchup-canadas-pipeda-and-the-gdpr/
EU General Data Protection. (2017). GDPR Portal: Site Overview. Retrieved from http://www.eugdpr.org
Nadeau, M. (2017, September 26). General Data Protection Regulation (GDPR) requirements, deadlines, and facts. CSO online. Retrieved from https://www.csoonline.com/article/3202771/data-protection/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html
Karbaliotis, C. (2016). Impact of GDPR on Canada May 2016 – Presented at IAPP Canada Symposium [PowerPoint slides]. Retrieved from https://www.slideshare.net/constantk/impact-of-gdpr-on-canada-may-2016-presented-at-iapp-canada-symposium
Robertson Krashinsky, S. (2017, July 24). Calls grow for Canada to modernize privacy laws amind EU changes. The Globe and Mail. Retrieved from https://beta.theglobeandmail.com/report-on-business/industry-news/marketing/calls-grow-for-canada-to-modernize-privacy-laws-amid-eu-changes/article35778176/?ref=http://www.theglobeandmail.com&
Wallack, A. (2017, May 9). The global impact of GDPR – what companies need to know. The Global Legal Post. Retrieved from http://www.globallegalpost.com/blogs/blagging-the-blogs/the-global-impact-of-gdpr—what-companies-need-to-know-16947516/
Tess Kern is a Student Intern/Content Contributor at Triella, a technology consulting firm specializing in providing technology audits, planning advice, project management and other CIO-related services to small and medium sized firms. For additional articles, go to www.triella.com/publications. Triella is a VMware Professional Partner, Microsoft Certified Partner, Citrix Solution Advisor – Silver, Dell Preferred Partner, Authorized Worldox Reseller and a Webroot Reseller.
© 2017 by Triella Corp. All rights reserved. Reproduction with credit is permitted.