Disclaimer: EU data protection laws, including the GDPR, are complex. This FAQ should not be considered legal advice. Please consult a legal professional for details on how the GDPR impacts your organization.
What is GDPR?
The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union.
GDPR extends the scope of EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonization of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 2% of worldwide turnover or €10 million, whichever is higher.
Learn more on Wikipedia at https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
Why should I care about the GDPR?
The GDPR is one of the most significant changes to EU privacy in the last 20 years. It affects any organization that provides goods and services to EU citizens.
The GDPR is a regulatory framework with much greater scope, ultimately strengthening and harmonizing data protection laws within the EU. Some of the changes include:
- Right to access
- Right to be forgotten
- Data portability
- Breach notification
When is the GDPR coming into effect?
The GDPR will be in force on May 25th, 2018.
The GDPR was approved and adopted by the EU Parliament in April 2016. The regulation will take effect after a two-year transition period and, unlike a Directive it does not require any enabling legislation to be passed by government; meaning it will be in force May 2018.
What is personal data?
Any information relating to an identified or identifiable natural person ('data subject'). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as:
- email address or location
- online identifiers
Personal data can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
Who are data controllers, processors and sub-processors?
A data controller is the entity/person that determines purposes and means of processing personal data of the EU resident. For example, Lanetix is a data processor and Lanetix’s customers are controllers of the EU resident's data. For Lanetix, any personal data processing that’s necessary for the purposes of the legitimate interests pursued by the controller, our customer.
The GDPR applies to both data controllers and processors. Controllers collect data from the end-user that is the EU resident, for purposes clearly stated and with appropriate consent. Data processors provide services to the controller in accordance with each controller's instructions. Processors also use data collected to perform benchmarking analysis, so that it can sell further services allowing controllers to compare their data to industry averages.
Another category called sub-processors or third-party businesses performing data processing for other companies are also accountable for protection of personal data, according to the GDPR.
Who is a DPO and does Lanetix need one?
Lanetix is not obliged to appoint a Data Protection Officer (DPO).
A DPO needs to be appointed if you:
- process large amounts of personal data (e.g. banks, phone companies, etc.)
- carry out large scale systematic monitoring of individuals (e.g. Facebook, Google, etc.)
- are a public sector authority (e.g. post office, public university, etc.)
The Lanetix Chief Technology Officer (CTO) is responsible for informing employees of their compliance obligations as well as ensuring that we’re conducting monitoring, training, and performing audits required by the GDPR.
Can we use Lanetix's products before you are fully compliant?
Yes, you can confidently continue with all Lanetix products as we are currently in the process of achieving compliance. The regulation approved by the EU parliament in April 2016 provides businesses an adapting period of 2 years until the enforcement date of May 2018. Preparing for GDPR is a company wide challenge involving large amount of time, resources and expertise. Lanetix is working towards it and will be GDPR compliant by May 25th, 2018.
What is the cloud or Software-as-a-Service (SaaS) advantage to meeting data governance policies?
Meeting compliance requires investments in time, effort, cost and expertise. The solution lies in being part of cloud or SaaS ecosystem, that is already operating on a secure model for data management. This provides a safe environment to manage and process your data, and also accommodate efforts required to keep pace with changing policies.
How does my company benefit by complying with the GDPR?
The GDPR helps restore consumer trust by acting as a central authority governing rules of data protection and rights across the EU. The new law allows businesses to undertake opportunities in the digital market while protecting an individual’s fundamental rights.
Businesses can capitalize on opportunities through:
Cost savings and less complicated policy management by dealing with 1 law, not 28. This otherwise required expenses and efforts dealing with regulations for each member state locally.
Consistency in practice of data protection measures both in and outside the EU. This is because the same regulation applies to all businesses, regardless of where they are based out of.
The regulation enables innovation to flourish under the new law.
What do you mean by ‘Right to be forgotten’?
Individuals have the right to have their personal data deleted, in the event that it is no longer needed. ‘Right to be forgotten’ is in support of - freedom of expression.
Does the GDPR require EU data to stay in the EU?
No, the GDPR does not require EU personal data to stay in the EU, nor does it place any new restrictions on transfer of personal data outside the EU.
Data transfers from the EU to outside can be legitimized in many ways including:
- EU-US Privacy Shield
- Model or Contractual clauses
- Binding Corporate Rules (BCR)
What does GDPR mean by “data protection by design and by default”?
Data protection by design means, ensuring only that personal data which is required is collected, and also incorporate privacy features and functionality into products and services from the time they are first designed.
Data protection by default means, businesses must implement appropriate measures to mitigate privacy risks at the time of collection of the data, as well us by extending it at the time of processing it.
What about individuals under the age of 16?
Parental consent will be required to process the personal data of children under the age of 16 for online services; member states may legislate for a lower age of consent but this will not be below the age of 13.
Where can I go to learn more?
There are the following online resources:
Wired’s GDPR Guide
Microsoft Trust Center
Axon IT Questions About GDPR