The European General Data Protection Regulation (GDPR)

30 April 2017
Written by EPI-USE Labs Staff writer

EPI-USE Labs is a global company with hubs throughout Europe, the United Kingdom, the Americas, Australia, the Philippines, South Africa, the Middle East and Turkey.

The implementation of the new General Data Protection Regulations (GDPR) is gathering momentum heralding far-reaching changes to business operations, global commercial relationships and personal freedom in the business community relating to the European Union.

 

The Main Tenets of the GDPR

  • A single set of rules. Data protection rules will blanket the entire EU to remove onerous administrative requirements.
  • A single authority. Each region will have a data protection regulator who will need to liaise with regulators in other EU countries. (That word “single” is not entirely accurate because there will be a super regulator.) The EU Data Protection Board will include the head of each national data protection regulatory body and the European Data Protection Supervisor. This Data Protection Board will be empowered to guide and resolve disputes among national regulators.
  • Definitions of data. The scope of “personal data” has expanded. Two new categories of data – genetic and biometric – are included on a list of “sensitive data”, which also includes racial or ethnic origin, political opinions, religious or philosophic beliefs, trade union membership and data concerning health or sexual orientation.
  • Pseudonymised vs anonymised data. The regulation does not apply to fully-anonymised data whereas pseudonymised data is personal data because it can be re-associated with a specific individual.
  • Consent. This must be specific and informed and given freely by the data subject. There are, however, limitations on consent and consumers cannot be asked to agree to any unfair contractual terms in exchange for their consent. Consent is also not valid where there is “a clear imbalance [of power] between the [consumer] and the [company]”. Importantly, consent is not valid in the context of a contract if the consumer must give consent for use that is not necessary for the performance of the contract. This will significantly affect the business model of free apps or services that rely on selling user data to pay for the costs of providing the service.
  • Internal controls. Policies and procedures regarding this will have to be produced in the event of a complaint. Data breaches and investigations must be documented.
  • Data Protection Officer (DPO). Companies operating with large scale customer databases must have a DPO. SMEs of less than 250 employees will be exempt unless personal data processing is core to their business.
  • Data portability. Consumers will have easier access to their data and transferring it will be made easier.
    A "right to be forgotten" or erasure. When an individual no longer wants her/his data to be processed, and provided that there are no legitimate grounds for retaining it, the data will be deleted. This is about protecting the privacy of individuals, not about erasing past events or restricting freedom of the press.
  • Data protection by design and by default. ‘Data protection by design’ and ‘Data protection by default’ are now essential elements in EU data protection rules. Data protection safeguards will be built into products and services from the earliest stage of development, and privacy-friendly default settings will be the norm – for example on social networks or mobile apps.
  • Breach notification. Companies have 72 hours to notify the national data protection regulator of any breaches.
  • Fines for mismanagement. Fines of up to 4% of worldwide turnover will be issued to companies for data mismanagement.

 

How to prepare for GDPR

  1. Prepare to redesign your data management processes and IT systems with a much greater emphasis on data protection and security. Note that you will be required to show your security policies and strategies on request.
  2. Form a group to oversee all your privacy activities under a senior manager. If you have more than 250 employees, appoint a Data Protection Officer. This group will need to report regularly on the status of privacy efforts and create statements of compliance.
  3. Create and implement a breach notification process and enhance your incident management and detection and response capabilities. Every data breach must be reported even if protective measures such as encryption are in place.
  4. Prepare your company to fulfil the “right to be forgotten”, “the right to erasure” and the “right to data portability” requirements. You will need to institute a strategy for data classification, retention, collection, removal, storage and search. All methods of data collection must be included such as the internet, call centres and paper.
  5. Create and enforce privacy throughout your systems. Privacy control will have to be simpler, stronger, harder to by-pass and embedded in the system’s core functionality.

 

 

Explore Popular Tags

News EPI-USE Labs SAP Test Data Management ASUG SAP Landscape User Group Data Sync Manager (DSM) Event S4HANA SAP HCM reporting GDPR S/4HANA Migrations SAP Data Security SAP security SAP test system landscapes data scrambling Query Manager SAP HCM SAP Landscape Transformation SAP SuccessFactors Webinar Data Sync Manager PRISM s/4HANA ERP Elephants, Rhinos & People Innovation SAP S/4HANA Client-centric Data Privacy Landscape Management SAP test data management groupelephant.com DevOps Document Builder Cloud and Managed services Data Security HR SAP HANA collaboration partner DSM Digital HR Global SAP GDPR System Landscape Optimization User Group event AWS AWS Cloud Migrations Cenoti, connecting SAP with Splunk Cloud Cloud Migration DSM5 Data Secure EPI-USE GDPR compliance HCM QM4 SAP SuccessFactors Reporting SAP data privacy and compliance SLO Security South Africa Strategic partnership Virtual event fiori Access risk controls Amazon Web Services (AWS) Archive Central Cloud Solutions Data EPI-USE AWS EPI-USE Labs’ solutions Evolutio GRC HCM, HR Journey to SAP SuccessFactors March 2021 Migrate SAP to Microsoft Azure Risk management SAP Business Technology Platform SAP HCM Roadmap SAP HCM/HXM SAP data SAP migration SAPinsider SAUG Splunk Success Story Teched Transformation ASUG Chicago AppDynamics At-risk elephants and rhinos Australia Automation BTP Blog CSR Client events Community Corporate Social Responsibility DSM Readiness Assessment Data masking Data privacy compliance Design Thinking Digital transformation Employee payroll GDPR deadline GDPR readiness General Data Protection Regulation INSPIRE2024 Intelligent HR and Payroll Microsoft Azure SAP AppHaus Network SAP BTP SAP Cloud-Lift for Azure SAP Gold Partner SAP Pinnacle Awards SAP on Azure SAPPHIRE SAPPHIRE-NOW Soterion SuccessConnect Sustainability Sydney UK UKISUG Value through Innovation analytics certification oilandgas partners technology test data masking utilities .conf21 AI ASUG Philadelphia AWS MSP Partner Program AWS Managed Support AWS Well-Architected Framework Accurate test data Acquisition Ad Hoc Query Advanced AWS Partner Africa Analytics Connector Analytics solutions Anniversary Appointments Artificial Intelligence (AI) Auckland Brownfield Business Analytics Cloud Infrastructure Cloud Payroll Cloud migrations Custom Development DATPROF Data Diclose Data-Sync-Manager-Suite ECC EPI-USE AppHaus Pretoria Employee Central Events GDPR-type legislation GRC for SAP Gender Pay Gap Governance, Risk Management and Compliance (GRC) Greenfield HCM Reporting HR Innovation & Tech Fest HR and Payroll data HR conference Hackathon Higher Education Hybrid SAP and SuccessFactors INSPIRE2023 IS-Oil Indiana Innovationspreis-IT InsightsSuccess Jon Bon Jovi Justin Timberlake Keynote Mastering SAP Melbourne Microsoft Ignite Microsoft data centres Migration Move to SuccessFactors Employee Central NZSUG New York City Oil, Gas and Energy POPI POPI Act POPI Act deadline June 2021 POPIA PRISM for HCM (Private Cloud Edition) Payroll reporting Purdue University Query Manager User Group Rabobank Real-time reporting and document creation Realtech Recharge HR Reporting and analysis Return on investment Rise with SAP Risk monitoring SAP HCM On-Premise Solutions SAP HCM journey SAP HXM SAP Hack2Build SAP Hudson Yards SAP NOW SAP Payroll SAP Query SAP RISE SAP Reporting SAP S/4HANA Assessment SAP SuccessFactors HCM Journey SAP SuccessFactors People Analytics SAP and non-SAP SAP cloud migrations SAP data privacy & security SAP data privacy and security SAP on AWS SAP solutions SAUG National Summit 2022 SQ01 reporting Sabaas Selective Data Transition (SDT) Successful Innovation TOP 100 Test data automation Transformation without re-implementation Video Workshop Worksoft bancon’s bPostingEngine (bPE) businesschange cloud hosting compliance customer collaboration data copy downstream ebook
+ See More

Get Instant Updates

Leave a Comment: