The GDPR: Enhancing Data Protection by Design

In just under 6 months, the EU’s General Data Protection Regulation (GDPR) will come into force.

On May 25, 2018, the GDPR will replace the EU Data Protection Directive (1995) and the UK Data Protection Act (1998).  The regulation affects all EU companies that process or store personal information and companies not in the EU that process or store personal information for EU residents.  Differing from the prior regulations, the GDPR focuses on the privacy and rights of the individual.  Consumers and data subjects should have the right to know what data is held about them, as well as how it is being held and secured.

One Set of Rules For All the EU

The GDPR creates one set of rules for all EU member countries.  While the prior directives could be interpreted and implemented differently by each country in the EU, the new regulation provides one uniform regulation implemented across the entire EU by one supervisory authority.

Personal Data Is Redefined and Expanded.

The Data Protection Directive defined personal data as a person’s name, photo, email address, phone number, address, and personal identification numbers (SSN, credit card numbers, bank account numbers, etc.).  The GDPR expands personal data to include such things as IP addresses, mobile device identifiers, geolocation information, biometric data (finger prints, retinal scans, hand geometry, etc.).  Also included are an individual’s physical, psychological, genetic, mental, economic, cultural, or social identity.

Defines Individual Rights

The GDPR provides the following rights for individuals:

1. The right to be informed.  Companies must provide “fair processing information” to their data subjects, typically a privacy notice.
2. The right of access which allows individuals to be aware of and verify the lawfulness of how their data is being processed.
3. The right to rectification.  Allows the individual the right to correct their personal information if it is inaccurate or incomplete.
4. The right to be forgotten.  The individual has the right to request the deletion or removal of their personal data where there is no longer a compelling reason to continue to keep it.
5. The right to restrict processing.  Allows the individual to suppress processing of their information.
6. The right to data portability.  Allows the individual to obtain and reuse their personal data for their own purposes across different services.
7. The right to object.  The individual has a right to object to how their information is being processed.
8. Rights in relation to automated decision making and profiling.  The individual has rights to object to automated decisions made without human intervention that could be potentially damaging.

Accountability and Governance

The accountability principle in article 5(2) requires that companies demonstrate that they comply with the principles of the GDPR and explicitly states that this is their responsibility.  This means that you need to implement appropriate technical and operational measures that ensure and demonstrate compliance across your organization. This can include HR policies, staff training, internal audits, etc.

In future posts, we will go into more detail on various aspects of GDPR and explore how InterAction can help you in your compliance efforts, ensuring that data protection is done by design, not as an afterthought.

Be sure to contact your InterAction Account Manager for an exclusive invitation to our webinar series covering how InterAction tools can be used to execute GDPR compliance plans.

The GDPR: Enhancing Data Protection by Design posted first on https://injuryhelpnowcom.blogspot.com