The General Data Protection Regulation (GDPR) is a new EU Regulation which will replace the 1995 EU Data Protection Directive (DPD) to significantly enhance the protection of the personal data of EU citizens and increase the obligations on organisations who collect or process personal data. It will come into force on 25th May 2018. The regulation builds on many of the 1995 Directive’s requirements for data privacy and security, but includes several new provisions to bolster the rights of data subjects and add harsher penalties for violations.
Like many organisations, Elvanto has instituted a program to ensure it will comply with the EU General Data Protection Regulation (GDPR) well before the 25th May 2018 deadline. As well as reviewing and changing our internal practices, procedures and resources, we will be releasing a new GDPR specific privacy notice and reviewing and updating our relationships with our customers and suppliers. If you have any questions on how this might impact you, please contact us email@example.com.
Although the GDPR does not require us to store customer data in the EU, we have been doing this anyway by storing our EU customer data in Dublin, Ireland for a number of years now.
If you are a church that stores the personal data of EU citizens, then you will need to also comply with the GDPR. If you are just getting started with GDPR compliance in your church or organization, here's a quick to-do list to keep in mind.
GDPR applies to any organization that works with the personal data of EU residents. This law introduces new obligations for data processors while clearly stating the accountability of data controllers.
This law doesn't have territorial boundaries. It doesn't matter where your organization is from — if you process the personal data of subjects of the EU, you come under the jurisdiction of the law.
A breach of the GDPR incurs a fine of up to 4% of annual global turnover or €20 million (whichever is greater).
Any information relating to an identified or identifiable natural person. The identifiers are classified into two types: direct (e.g., name, email, phone number, etc.) and indirect (e.g., date of birth, gender, etc.).
New & enhanced rights for data subjects - This law gives an individual the right to exercise complete authority over their personal data. Some of the rights highlighted in the regulation are:
Obligations of the processors - GDPR has raised the bar for the responsibilities and liabilities of data processors as well. Processors must be able to demonstrate compliance with the GDPR and they must follow the data controller's instructions.
Data Protection Officer - Organizations may need to appoint a staff member or external service provider who is responsible for overseeing GDPR, general privacy management compliance and data protection practices.
Privacy Impact Assessments (PIA) - Organizations must conduct privacy impact assessments of their large-scale data processing to minimize the risks and identify measures to mitigate them.
Breach notification - Controllers must notify the stakeholders (the supervisory authority, and where applicable, the data subjects) within 72 hours of becoming aware of a breach.