General Data Protection Regulation (GDPR): 12 Of Your Questions, Answered

The goal of the General Data Protection Regulation (GDPR), which goes into effect in May 2018, is to protect the fundamental rights and freedoms of individuals in the EU as it pertains to their personal data. As you might imagine, it is a broad and complex piece of legislation, with far-reaching implications for businesses inside and outside the EU.

If you’re just becoming familiar with the General Data Protection Regulation and need a GDPR summary, take a look at this article. Then, familiarize yourself with 12 frequently asked GDPR questions below.

What are some of the most critical compliance implications from the GDPR?

The GDPR is comprised of 99 articles and isn’t easily summarized, but three of the most noteworthy compliance implications are as follows:

• Individuals in the EU have the right to withdraw consent to the use of their data, and organisations generally must comply (as found in articles 12-23).
• Organisations must proactively demonstrate they understand the data they have access to, how to use that data, and how to safeguard that data. Therefore, organisations must maintain, document, and enforce data protection policies and procedures (as found in articles 24-43).
• Organisations that collect personal data must have rigorous due diligence processes to ensure the appropriate technical and organisational controls are in place before sharing data with vendors (as found in article 32).

When does the GDPR go into effect?

Organisations have until 25 May 2018 to become fully compliant with the GDPR.

What are the penalties for noncompliance with the GDPR?

The maximum fine for not complying with the GDPR is €20,000,000 or 4 percent of a company’s worldwide revenue (not profit), whichever is greater. These staggering penalties are one of the reasons why the GDPR has caused such a stir in boardrooms across the EU and across the world.

The GDPR is comprised of 99 articles and plenty of complexities. Cut through the noise and help your organisation get prepared with this free guide.

Does the GDPR affect only companies within the EU?

Even if your organisation has no physical presence in the EU it is not necessarily exempt from GDPR enforcement. If you process the data of any EU citizen—regardless of where your business is located in the world—you must be GDPR compliant. This means that a large number of internet-based organisations around the world will be impacted. Additional details on this can be found in article 3 and in articles 44-50.

Do we need a Data Protection Officer to be compliant with the GDPR?

Not necessarily—but you might. Certain organisations are required to appoint a Data Privacy Officer, depending on the scale and nature of the data they’re processing. To determine if you need to appoint a Data Protection Officer, see articles 37-39.

What if I just “process” data? Do I still have liability to data subjects?

Under the GDPR, data processors can be liable to data subjects directly (rather than just to the controller) where such data processor has failed to comply with the GDPR (in addition to any liability the processor has to the controller). In addition, controllers who are concerned with article 32 compliance will put their processors through more rigorous due diligence processes to ensure their own compliance (as well as any additional contractual protections they may try to negotiate).

What is the “right to be forgotten”?

Per articles 12-23, if an individual requests access to their data or requests that data be removed from a company’s records, your organisation must take action within one month. This concept will likely prove particularly difficult for many organisations since data is easily stored and copied to many places. Now is the time to think about technical solutions that will assist with your compliance.

What is a Model Contract, and why is it important under the GDPR?

Controllers have limited options for legal cross-border data transfers from the EU to the U.S. One of the most popular is the use of Model Clauses. The European Commission has put into place two sets of standard contracts “for transfers from data controllers to data controllers established outside the EU/EEA, and one set for the transfer to processors established outside the EU/EEA”. Most of the provisions in these contracts cannot be altered nor negotiated, and are rather rigid in their requirements.

How is consent defined under the GDPR?

Article 4 of the GDPR states that consent is "any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her".

This definition dramatically impacts how businesses can use personal data of EU citizens, and how those businesses obtain that data. For example, you can no longer bury consent in a privacy policy; under the GDPR, your intentions for data use must be stated explicitly. Additionally, individuals have a right to know precisely what their data will be used for; organisations must not use the data for any other reason (with a few limited exceptions).

How do we evaluate the effectiveness of the measures put in place for the GDPR?

As previously noted, article 32 emphasizes that organisations that collect personal data must follow proper processes to ensure the appropriate controls are in place before they share data with third-party vendors. But it also states that those organizations need “a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures”.

Unfortunately, there is not one correct way to assess these measures; it is a challenge that all organisations affected by the GDPR will have to face. Some organizations choose to perform regular audits, some use vendor questionnaires, and others use continuous monitoring tools.

When should we do a Data Protection Impact Assessment (DPIA)?

A Data Protection Impact Assessment (DPIA) is a formal process to determine GDPR compliance. As described by Ireland’s Data Protection Commission, a DPIA “describes a process designed to identify risks arising out of the processing of personal data and to minimise these risks as far and as early as possible”.

This ISACA article does a good job describing what a Data Protection Impact Assessment is and what it isn’t. For example, the author explains that a DPIA is not synonymous with a PIA, though closely related.

How does data mapping apply to the GDPR?

Without understanding how your data flows through your network, you probably won’t ever achieve full GDPR compliance. So while creating a “map” of how your data moves throughout your organisation isn’t strictly required (the GDPR just requires a “record of processing activities,” as found in article 30), it is a valuable activity.

While there are myriad options for creating your data map—from simple spreadsheets to complex Data Mapping tools—you’ll want to be certain you know where personally identifiable information (PII) is collected and stored, and the routes it takes to get to those areas.

Get more questions answered: Download A Risk Manager’s Guide To The General Data Protection Regulation (GDPR)

Download the guide below for even more information about the GDPR, including additional compliance implications, six ways you can begin to prepare for the GDPR, and much more. Get started with your GDPR compliance program today!