What are the individual’s data rights?
General Data Protection Regulation (GDPR) is live and already firms are struggling to comply.
Some major newspapers with readership of 500 million have blocked access to their Web sites out of fear of penalties due to non-compliance. They are not alone – a vast majority of companies will be greatly challenged to comply with one component of GDPR – the right for individuals to know what data is possessed by the enterprise, where it is, and how it is used.
It also includes a right to be forgotten. Failure to comply could cost a company up to four percent of annual global revenues. Audit, Business, IT and Risk executives in firms effected by the regulations – which is virtually every firm that has heard about Europe – must be prepared to demonstrate that they are in compliance.
As a part of that, small business owners and IT executives will need to effectively segregate personally identifiable information (PII) and collaborate with partners on data constructs, storage, and destruction.
GDPR, the product of a concerted effort by the European Union to strengthen data privacy and protection rights for individuals within the EU, extends the concept of “personal data” to include such things as cookies, Internet IP addresses and RFID tags as well as employee, student and membership data.
This right will impact any and all companies that can be accessed (for example, via the Web) from Europe, which are almost all companies. Failure to comply could result in fines of up to four percent of annual global revenues! Or worse, a shutdown of their business operations.
What Are the Individual’s Rights?
There are six major areas associated with GDPR compliance that relate to individual rights:
- Further processing not based upon consent
- Right to object and profiling
- Right to erasure (right to be “forgotten”)
- Cross Border Transfer rights
- Data breach notifications
When it comes to the processing of special categories of personal data, explicit consent from individuals protected by EU laws is required and parental consent is needed for a minor, as defined by the EU member state.
Furthermore, the processing organization needs to consider the nature of the personal data, the possible consequences of further processing, and the existence of appropriate safeguards. This includes personal data used for direct-marketing purposes.
The generic opt-in/opt-out methods used by most firms today will not cut it – Facebook and Google were sued on this in Europe on the day GDPR went live. (See the chart below on the types of requests enterprises can expect to see rolling in after GDPR goes into effect.)
Then there is the right to be forgotten.
The individual has the right to request erasure of personal data without undue delay when the data is no longer necessary for the original purpose, when consent is withdrawn, or the individual objects to the processing of the data. Large enterprises could expect up to a million requests yearly due to this.
Google in its efforts to comply with a May 2014 ruling by the Court of Justice of the European Union is dealing with 2,100 – 3,600 requests for removal per day in 2017. 43 percent of the requests result in removal of URLs; no actions after the investigation are taken on the rest.
In 2014 Google had to address as many as 27,529 requests/day. Companies need to prepare for a similar onslaught and the potential for similar legislation locally.
Source: AvePoint keynote Sep. 28, 2017
Then there are the cross-border transfer rights.
Again, permission is required, except under certain circumstances. And lastly, companies must notify the regulatory authorities or a data breach without undue delay but no later than 72 hours unless not feasible. Imagine if Equifax – whose breach exposed nearly 150 million U.S. consumers – had to deal with that requirement!
Next page- Where’s Waldo and What Does IT Mean? and Summary