GDPR Requirements: An Overview & Roadmap for Compliance
What is GDPR?
The European General Data Protection Regulation (GDPR) have a global impact since going into effect on May 25, 2018. GDPR regulates, among other things, how individuals and organizations may obtain, use, store, and erase personal data. It will have a significant impact on businesses around the world, not just the European Union.
According to Gartner research director Bart Willemsen, many decision-makers worldwide arereevaluating measures to safely process personal data and the business case for compliance amid the threat of hefty fines — organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater) — and an increasingly empowered consumer.
When is The Deadline for GDPR Compliance?
With more than 50% of organizations set to miss the deadline, it is essential for your team to map out your GDPR strategy today as there will be no grace period once the law goes into effect on May 25, 2018.
Whom Does GDPR affect?
The scope of the GDPR is very broad. The GDPR will affect (1) all organizations established in the EU, and (2) all organizations involved in processing personal data of EU citizens. The latter is the GDPR’s introduction of the principle of “extraterritoriality”; meaning, the GDPR will apply to any organization processing personal data of EU citizens—regardless of where it is established, and regardless of where its processing activities take place. This means the GDPR could apply to any organization anywhere in the world, and all organizations should perform an analysis to determine whether or not they are processing the personal data of EU citizens. The GDPR also applies across all industries and sectors.
There are a few definitions that will aid the understanding of the GDPR’s broad scope.
Do you need to comply with the GDPR?
You should consult with legal and other professional counsel regarding the full scope of your compliance obligations. Generally speaking, however, if you are an organization that is organized in the EU or one that is processing the personal data of EU citizens, the GDPR will apply to you.
What is considered “personal data”?
Per the GDPR, personal data is any information relating to an identified or identifiable individual; meaning, information that could be used, on its own or in conjunction with other data, to identify an individual. Consider the extremely broad reach of that definition. Personal data will now include not only data that is commonly considered to be personal in nature (e.g., social security numbers, names, physical addresses, email addresses), but also data such as IP addresses, behavioral data, location data, biometric data, financial information, and much more. It’s also important to note that even personal data that has been “pseudonymized” can be considered personal data if the pseudonym can be linked to any particular individual.
Sensitive personal data, such as health information or information that reveals a person’s racial or ethnic origin, will require even greater protection.
What does it mean to “process” data?
Per the GDPR, processing is “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” Basically, if you are collecting, managing, using or storing any personal data of EU citizens, you are processing EU personal data within the meaning prescribed by the GDPR.
If we ask you to provide personal information to comply with a legal requirement or to perform a contact with you, we will make this clear at the relevant time and advise you whether the provision of your personal information is mandatory or not (as well as of the possible consequences if you do not provide your personal information).
Similarly, if we collect and use your personal information in reliance on our legitimate interests (or those of any third party), we will make clear to you at the relevant time what those legitimate interests are.
If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the
Keep in mind that even if you do not believe your business will be affected by the GDPR, the GDPR and its underlying principles may still be important to you. European law tends to set the trend for international privacy regulation, and increased privacy awareness now may give you a competitive advantage later.
What can my Cloud Service Partner Do to Help My Organization Get Ready for GDPR?
Gartner recommends organizations act now to ensure they are in compliance when the regulation goes into effect. They should focus on five high-priority changes to help them to get up to speed with GDPR requirements.
- Determine Your Role Under the GDPR
Any organization that decides on why and how personal data is processed is essentially a "data controller." The GDPR applies therefore to not only businesses in the European Union, but also to all organizations outside the EU processing personal data for the offering of goods and services to the EU, or monitoring the behavior of data subjects within the EU. These organizations should appoint a representative to act as a contact point for the data protection authority (DPA) and data subjects.
- Appoint a Data Protection Officer
Many organizations are required to appoint a data protection officer (DPO). This is especially important when the organization is a public body, is processing operations requiring regular and systematic monitoring, or has large-scale processing activities. "Large scale" does not necessarily mean hundreds of thousands of data subjects.
- Demonstrate Accountability in All Processing Activities
Very few organizations have identified every single process where personal data is involved. Going forward, purpose limitation, data quality and data relevance should be decided on when starting a new processing activity as this will help to maintain compliance in future personal data processing activities. Organizations must demonstrate an accountable ground posture and transparency in all decisions regarding personal data processing activities. Outside parties must also comply with relevant requirements that can impact supply, change management and procurement processes. It is important to note that accountability under the GDPR requires proper data subject consent acquisition and registration. Pre-checked boxes and implied consent will be largely in the past. A clear and express action is needed that will require organizations to implement streamlined techniques to obtain and document consent and consent withdrawal.
- Check Cross-Border Data Flows
Data transfers to any of the 28 EU member states* are still allowed, as well as to Norway, Liechtenstein and Iceland. Transfers to any of the other 11 countries** the European Commission (EC) deemed to have an "adequate" level of protection are also still possible. Outside of these areas, appropriate safeguards such as Binding Corporate Rules (BCRs) and standard contractual clauses (i.e., EU "Model Contracts") should be used. EU-based data controllers should pay specific attention to new mechanisms under the GDPR when selecting or evaluating data processors outside the EU and ensure appropriate controls are in place. Outside of the EU, organizations processing personal data on EU residents should select the appropriate mechanism to ensure compliance with the GDPR.
- Prepare for Data Subjects Exercising Their Rights
Data subjects have extended rights under the GDPR. These include the right to be forgotten, to data portability and to be informed (e.g., in case of a data breach). If a business is not yet prepared to adequately handle data breach incidents and subjects exercising their rights, now is the time to start implementing additional controls.
|GDPR Reference||Actions||How Velocity helps|
|Consent||Article 4 (11), Article 7||Customer||Users consent to which information Velocity collects about them.|
|Data Protection Impact Assessments||Article 35||Shared||Velocity: Appointed a team to execute Privacy Impact Assessments to ensure data collection is minimally invasive.
Customer: Designate personnel to decide what info to share with business partners.
|Encryption||Article 32||Shared||Client-specific data is encrypted at rest using AES 256-bit encryption.|
|European data protection board||Article 68||None||Simply monitor changes brought forth by European Data Protection Board.|
|Personal data inventory||Article 30||Customer||User controls uploads and data stored.|
|Pseudonymisation||Article 4 (5)||Customer||User controls uploads and data stored, must record on their own what is contained therein. Accountable for performing any tasks associated with pseudonymisation.|
|Right to erasure||Article 17||Shared||Users are in control of uploads. Velocity tracks modification requests and deletions from our ecosystem.|
Who does Velocity share my personal information with?