GDPR Executive Summary: What You Need to Know
Never heard of the GDPR? You will soon! Especially if you don’t want the supervisory authority knocking down your door, finding you don’t comply with the regulation, and asking you to erase data, stop processing data, or hand you a fine in the millions. Noncompliance could be a major set back for any organization at a minimum and catastrophic at worst.
The GDPR regulates the processing of personal data of European citizens. It applies to organizations both inside and outside the European Union (EU) that process personal data of EU citizens. It was written and approved by the EU Parliament and takes the place of the 1995 Data Protection Directive 95/46/EC.
To comply, organizations will need to audit and map their data extensively, find a legal basis for processing personal data, make sure partners and third party processors are compliant, provide certain information to data subjects, possibly hire a data protection officer and perform data protection impact assessments, and much more.
Understanding the GDPR is the first and easiest step towards compliance. This article provides the basic information for BI and analytics managers that only have an inkling of what the GDPR is, its large penalties, and when it becomes enforceable (25 May 2018).
Although the GDPR contains 99 articles, only half of them are relevant to BI and analytics managers, the bulk of which are in chapters two, three, and four (summarized and paraphrased below).
To read the actual GDPR, click here.
For a GDPR reference guide, containing simple one-sentence summaries of all 99 articles, click here.
Does the GDPR apply to you? (Chapter 1 Articles 2 and 3)
This regulation applies to organizations inside and outside the Union that process personal data of EU citizens. Organizations outside the Union are only subject if the processing activities are related to the processing of goods and services or the monitoring of behavior.
Rules for processing personal data (Chapter 2 Articles 5-11)
Processing personal data is lawful if at least one of the following is true:
- The data subject has given consent
- Processing is necessary for the performance of a contract
- Processing is necessary for compliance with a legal obligation
- Processing is necessary to protect vital interests of the data subject
- Processing is necessary for the performance of a task carried out in the public interest
- Processing is necessary for the interests pursued by the data controller
If processing is lawful, organizations must abide by certain principles when processing personal data. Personal data must be processed lawfully, fairly, and in a transparent manner; collected for specified, explicit, and legitimate purposes; be adequate, relevant, and limited to what is necessary; and four other principles.
Processing personal data revealing race, political opinions, religion, philosophy, trade union membership, genetic data, health, sex life, and sexual orientation is subject to different regulation and can only be processed under certain conditions.
Rights of the data subject (Chapter 3 – Articles 12-23 (what they can ask of you))
EU citizens can require organizations to erase, correct or provide their personal data and restrict or stop the processing of their personal data. Organizations also have to provide certain information to people when data is and is not collected from them.
Obligations of data controllers and processors (Chapter 4 Articles 24-43)
General obligations include keeping a record of all processing activities, cooperating with the supervisory authority, and following protocol for when there are two or more organizations jointly processing personal data.
Organizations also need to take the necessary security measures for processing, outlined in Article 32, and notify the supervisory authority and data subjects of breaches. When a type of processing, especially with new technologies, is likely to result in a high risk for people, an assessment of the impact of the processing needs to be done.
Organizations must designate a data protection officer (DPO) if processing is carried out by a public authority, processing operations require monitoring of data subjects, or core activities of the organization consist of processing personal data relating to criminal convictions or special categories of data.
Rules for transferring data through third countries or international organizations (Chapter 5 Articles 44-49)
To transfer personal data to a third country or organization, the Commission has to decide whether the country or organization can ensure an adequate level of protection or the organization transferring the data has to provide appropriate safeguards. If there is not an adequate level of protection nor appropriate safeguards, a transfer of data can still happen if certain conditions are met.
Penalties for noncompliance (Chapter 8 Articles 82 and 83)
Any person who has suffered damage from infringement of the GDPR has the right to receive compensation from the organizations that own or process the data. For less consequential infringements, fines can be up to $10,000,000 or two percent global annual turnover, which ever is higher. For more consequential infringements, fines can be up to $20,000,000 or four percent of global annual turnover, which ever is higher. Other penalties include erasure of data and restriction of processing.