In a 2017 AIIM survey about Information Governance and Compliance, respondents were asked to identify international regulations they must comply with. The list for internationally recognized regulations was numerous, but what stood out is that 46% of respondents said they would operate under the European Union (EU) General Data Protection Regulation (GDPR).
GDPR was passed in 2016 but will come into effect May 25, 2018 replacing the data protection directive of 1995. It aims to give control over personal information back to citizens and simplify the regulatory environment for international businesses by unifying the regulation with the EU.
A noteworthy fact about this law is that it applies to any organization that does business with an EU company or individual, but it also affects non-EU organizations that collect and process personal data of EU citizens. Since a good deal of businesses operate within the Global Economy, GDPR is being seen as the new standard in Data Protecting Regulation, much like Sarbanes Oxley was for the United States and PIPEA held for Canadian companies.
So, what do you need to know? Here are a few new obligations your business needs to consider:
- Accountability is key with GDPR. Businesses must have accountability with their ability to secure and locate the information they hold, demonstrate how that information was collected, and whether the collection is “lawful”.
- Be able to validate you are managing that data and information in the manner and intent with the regulations. All companies collecting private information must be able to supply the details of what data they hold and how it has been used.
- Consent is everything with GDPR. An individual’s consent must be freely given, specific, informed and be explicitly clear with the individual’s wishes. All companies need to review how they collect and record consent.
- Under GDPR, for the processing of personal data to be lawful, organizations need to identify a lawful basis before you can process personal data. It will become more important that businesses determine their lawful basis for processing personal data and make sure your compliance officer effectively documents it.
- There are some new rights for individuals under GDPR. One of the new assurances is that companies need to ensure individual rights, including the right to be forgotten, right of data protection and right of access.
With GDPR, protecting information and data is no longer the responsibility of IT. The protection of personal data must be considered and embedded in your business processes, from marketing to HR, and business development. Will your data protection meet these new standards?