On May 25, the General Data Protection Regulation (GDPR) will come into effect, changing the landscape concerning data privacy. The GDPR seeks to empower EU citizens, strengthening their rights and freedoms.
While the impact the new regulation could have on business processes is unknown, the industry must take steps to ensure it is ready and fully compliant. But what do those steps necessarily entail? Here are four keys to prepare for GDPR:
1) Creating Awareness
The life science industry should prepare for the implications the new laws are likely to have on business operations. Everyone within an organization, from the top down, must be aware data protection laws across Europe are switching to the GDPR.
In the run up, companies must perform risk assessments to gauge which areas of the organization could cause compliance issues under the regulation. Depending on the size of your company, be mindful preparation for the GDPR can place a significant strain on resources. Therefore, careful consideration and planning ahead of time is vital.
2) Installing Data Protection Officers
Under the GDPR, it is a requirement organizations bring on board a data protection officer (DPO) to ensure they remain compliant to the rules and regulations.
It shouldn’t be understated the crucial role DPOs play within an organization. They liaise with supervisory authorities and act as the first port of call for employees on matters concerning their personal data. DPOs are also tasked with advising companies on data protection impact assessments and training employees on internal audits.
Prior to May 25, it is encouraged companies hire a DPO, especially when their core activities involve the processing of sensitive personal data on a large scale.
3) What are Subject’s Rights?
In the lead up to May 25, organizations must know the rights of data subjects inside and out. According to the GDPR, every EU citizen will possess the following rights:
- The right to be informed – data controllers must inform data subjects when their personal data have been obtained
- The right of access – data controllers must disclose to data subjects why their personal data were obtained and how it is being used
- The right to rectification – data subjects will have the right to rectify inaccurate personal data from the controller in the event private information has been processed incorrectly
- The right to erasure or the right to be forgotten – data subjects will have the right to erasure when their personal data have been processed unlawfully
- The right to restrict processing – in the event the accuracy of personal data is contested, the data subject can have their private information restricted by the controller
- The right to data portability – data subjects will have the right to receive their personal data from controllers in a portable format, and transmit said data to another controller without repercussions
- The right to object – data subjects will have the right to object when their personal data are processed for scientific research purposes by controllers
- The right not to be subject to… – data subjects will have the right not to be subject to a decision based on automated processing, such as profiling
Each of these core tenets emphasize the need for data controllers to be transparent with their subjects when handling private information. Organizations must be acutely aware of their responsibilities, while doing everything necessary to ensure they abide by the rules.
4) What to do in the Event of a Data Breach
In the event of a data breach, the controller is obliged to report it without delay. They do, however, have some leeway as companies have 72 hours, past the point of becoming aware of the breach, to report it to the authorities.
When companies fail to report the breach in time, they must explain the reasoning behind the delay. Failure to comply with the GDPR here could have significant financial ramifications. According to Article 33, organizations can incur a fine of either €20 Million or 4 percent of their annual turnover. Therefore, avoiding data breaches at all costs is really in the best interests of your organization.
Although preparation for the GDPR is by no means a straightforward process, following these four steps could make the transition less burdensome on your organization. The GDPR now stands only months away – is your company ready?
1) Information Commissioner’s Office – https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
2) Intersoft Consulting – https://gdpr-info.eu/art-33-gdpr/