What is the GDPR?
The General Data Protection Regulation (GDPR) is designed to protect European Union (EU) citizens from privacy and data breaches in an increasingly data-driven world. Under the GDPR, individuals will have more control over their online presence and personal information. Organizations controlling data, like industry alliances and trade associations, will be responsible for keeping this personal data secure.
What is defined as personal data?
The GDPR defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
When does the GDPR go into effect?
25 May 2018.
Who does the GDPR cover?
The new regulation applies to all companies processing the personal data of data subjects residing in the EU, regardless of the company’s location. Additionally, an EU citizen can be living outside of the Union and still be covered by the regulation.
What are some Key Provisions?
- Consent: A company or organization must have clear and distinguishable consent from an individual. Consent is opt-in only and can be revoked at any time by the individual.
- Right to be Forgotten: A key provision of the regulation, “the right to be forgotten” ensures individual’s data can be easily erased when requested.
- Breach Notification: Data breaches must be reported to customers/individuals within 72 hours of first becoming aware of the breach.
- Privacy by Design: Company/organization data systems should only process data necessary for the completion of its duties, as well as limiting access to only those needing this information.
- Right to Access: Upon request, an organization must provide a copy of an individual’s personal data.
- Data Portability: Personal data must be distributed in a commonly used and machine readable electronic format free of charge.
What are penalties of non-compliance?
Companies in breach of GDPR can face penalties of up to 4% of annual global turnover or 20 million euros, whichever amount is higher.
What is the impact on ISTO Programs?
ISTO Programs will need to work with their program managers and other vendors to ensure that processes are in place to comply with the regulation for all EU citizens (regardless of current country of residence). Programs will need have positive consent from members/mailing list contacts for marketing and other contacts. Programs will be required to have processes in place if program leaders or members have access to member data, or marketing list data that is personally identifiable to ensure that it is used and maintained properly. Programs must also have systems or processes that ensure protection of personally identifiable data and provide the right for individual to withdraw permission, or for EU citizens to be forgotten.
What’s next?
ISTO is examining its systems and will develop processes for compliance on behalf of its member programs. ISTO is also working to develop template processes and education information for member programs’ leadership to use and to communicate with members. Program leadership should expect to be contacted by their program manager to get additional process or personally identifiable information use over the coming weeks.
For more information, visit the GDPR website.