GDPR – What do I need to know as a Small Medium Sized Business
GDPR – What do I need to know as a Small Medium Sized Business
Let’s start this conversation with some facts about GDPR – As of now, this regulation became active on May 25th, 2018. The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). GDPR replaces Data Protection Directive. Current legislation. The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It addresses the export of personal data outside the EU.
Some specific terms that are critical to applying GDPR to your particular business:
Data Subject – Data that allows an individual to be identified directly or indirectly by reference to an identification number or to one or more factors specific to his physical, physiological.
Data Controller – An organization that collects data from an EU resident
Data Processor – An organization that processes data on behalf of a data controller like cloud service provider.
As for sensitive data, is this different from the other sensitive data (PII, ePHI, cc#, SS#)?
The Act provides a separate definition for “sensitive personal data“. This relates to information concerning a data subject’s racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, or details of criminal offenses.
Does the regulation apply to my small business?
The regulation applies if the data controller (an organization that collects data from EU residents), or processor (an organization that processes data on behalf of a data controller like cloud service providers), or the data subject (person) is based in the EU. Under certain circumstances, the regulation also applies to organizations based outside the EU if they collect or process personal data of individuals located inside the EU.
As a business, when can I process the data of an EU resident?
Unless a data subject has provided explicit consent to data processing for one or more purposes, personal data may not be processed unless there is at least one legal basis to do so. They include:
- For the legitimate interests of a data controller or a third party, unless these interests are overridden by the charter of Fundamental Rights (especially in the case of children).
- To perform a task in the public interest or in official authority.
- To comply with a data controller legal obligations.
- To fulfill contractual obligations with a data subject.
- To perform tasks at the request of a data subject who is in the process of entering into a contract with a data controller.
- To protect the vital interests of a data subject or another person.
To be able to demonstrate compliance with the GDPR, the data controller must implement measures which meet the principles of data protection by design and by default. Data protection by design and by default (Article 25) require data protection measures to be designed into the development of business processes for products and services.
What are my rights as a data owner or data subject in GDPR?
Right of access – The right of access (Article 15) is a data subject right. It gives citizens the right to access their personal data and information about how this personal data is being processed. A data controller must provide, upon request, an overview of the categories of data that are being processed (Article 15(1)(b)) as well as a copy of the actual data (Article 15(3)). Furthermore, the data controller has to inform the data subject on details about the processing, such as the purposes of the processing (Article 15(1)(a)), with whom the data is shared (Article 15(1)(c)), and how it acquired the data (Article 15(1)(g)).
Right to erasure– A right to be forgotten was replaced by a more limited right of erasure in the version of the GDPR that was adopted by the European Parliament in March 2014. Article 17 provides that the data subject has the right to request erasure of personal data related to them on any one of a number of grounds.
Records of processing activities– Records of processing activities must be maintained that include purposes of the processing, categories involved and envisaged time limits. The records must be made available to the supervisory authority on request (Article 30)
What are my duties in the event of a data breach under GDPR?
Data breaches – Under the GDPR, the data controller is under a legal obligation to notify the supervisory authority without undue delay unless the breach is unlikely to result in a risk to the rights and freedoms of the individuals. There is a maximum of 72 hours after becoming aware of the data breach to make the report (Article 33). Individuals have to be notified if adverse impact is determined (Article 34). In addition, the data processor will have to notify the controller without undue delay after becoming aware of a personal data breach (Article 33).
Under GDPR as a Data processor or controller, what sanctions will be imposed in the event of non-compliance?
Sanctions – The following sanctions can be imposed:
- A warning in writing in cases of first and non-intentional noncompliance.
- Regular periodic data protection audits.
- A fine up to €10 million or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater, if there has been an infringement of the following provisions: (Article 83, Paragraph 5 & 6).
- A fine up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater, if there has been an infringement of the following provisions: (Article 83, Paragraph 4)
So what have I learned from this article on GDPR?
As a small business if I collect or process European users data as defined under this law,
- Information security professional firm to review my business process & risk.
- Conduct a risk assessment with a focus on GDPR.
- Develop and document policies to address GDPR regulation.
- Develop controls or remediation if I do not have them already in place for sensitive data under GDPR.
- Conduct a risk assessment of vendors focused on GDPR.
- Remediate “critical” or “ high” risk gaps.
- Develop a continuous compliance program.