Privacy and Data Protection are a growing concern. The EU has adopted a new regulation that is enforced since May 25th 2018. This new legislation – the General Data Protection Regulation (GDPR) – does not only concern the big data companies, but every company that processes personal information, as a controller or as a processor.
The GDPR has brought new elements and significant enhancements. It is important to identify the differences between the previous (local) law and the (EU) GDPR. Take in the guidance produced by the individual EU Data Protection Authorities, Article 29 Working Party and the European Data Protection Board (EDPB).
We are still in an (informal) transition period, the various supervisory authorities have started to gently enforce, nudging companies into compliance where the awareness of the new Regulation is maybe not yet fully there. Keep in mind that this is completely up to the discretion of the supervisory authorities, it will not be long before the enforcement becomes more rigorous. Make sure you are prepared!
Your GDPR compliance approach should emphasize the documentation that data controllers must keep to demonstrate accountability. Depending on your organization the different areas of the GDPR will have more or less impact. Consider the major areas of Awareness, Data Inventory, Information, Individuals’ Rights, Subject access requests, Identification of the lawful basis for your processing activities, Consent, Data Breaches, Privacy by Design, DPIA’s and the need for a Data Protection Officer in light of your particular organisation.
Do the check! it is more than likely that your company, small, medium or big, local to one country or multinational, is IN SCOPE of the GDPR. There is still time to become compliant, but the official transition period is over, enforcement is around the corner.
If it catches you unaware or underprepared it can be very costly!
Do you think you are on track with your GDPR program?
In an effort to harmonize data protection laws across the EU even more than through the GDPR the EU is moving the e-Privacy Directive to a Regulation. Additionally, the scope has been extended to apply to any company processing personal data in the context of delivering electronic communications and files, including so-called “over-the-top” providers like Gmail, WhatsApp, and Netflix, not just traditional telecommunication providers.
Originally the e-Privacy Regulation was scheduled to come into force on May 25th 2018 as well, the timeline was too ambitious and it will be rescheduled. As both Regulations are connected if you are in scope of the e-Privacy Regulation, that will leave a GAP, time will tell how we can deal with it.
Even if your organisation did not fall in scope of the e-Privacy Directive, it might just fall IN scope of the Regulation. Do not assume anything, Check!