Continuous Transformation Blog

10 Critical Aspects of GDPR for European Businesses

Written by Lesa Moné | November 8, 2017

Europe's General Data Protection Regulation can be broken into 10 key areas businesses need to focus on to ensure compliance. Each is designed to make sure enterprises remain aligned to the standards of today's digital age, and in order to so, LeanIX recommends investing in agile enterprise architecture solutions designed for agile and traditional organizations alike. But more on that later — here's the list:

10 Critical Aspects of GDPR for Businesses: 

1. The EU GDPR applies to all.

The regulation applies to all companies worldwide that process the personal data of EU citizens.

The regulation specifically designates organizations with:
  • A presence in an EU country.
  •  No presence in the EU, but it processes personal data of European residents.
  •  More than 250 employees.
  •  Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional or includes certain types of sensitive personal data.

In essence, all companies will have to comply with GDPR. The online clothing retailer in China that processes orders from Sweden has to comply with GDPR. Retailers in Hawaii with a supporting European office must also comply.

 

2. EU GDPR restricts the rules for obtaining the valid consent of personal information.

Going forward, companies must be able to prove valid consent for using personal information. Article 4 of the regulation clearly defines which identifiers are considered personal information:
  • an identification number
  • name
  • location data
  • an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

This will prove to be challenging, as companies never had this burden before. While entering in payment information, or regular marketing information, companies passively collect the personal data of their customers. From now on, organizations need to plainly gather consent before collecting personal data, be clear about why they are collecting such information. Silence will no longer suffice as consent.  

Tip: Many consent mechanisms currently offered are not valid under GDPR. Be sure to read the conditions for consent here.   

3. EU GDPR introduces a hasty breach notification requirement.

GDPR regulation requires organizations to notify the local data protection authority of a data breach within 72 hours of discovering it. Furthermore, organizations must ensure that they have the technologies and processes in place that will enable them to detect and quickly respond to a data breach.

4. The GDPR widens the definition of personal data.

The definition of personal data has always been wide, but GDPR widens it much more. Any data that can be used to identify an individual is personal data. This means that certain parts of the IT that did not have to comply with data regulations will now have to consider it.

5. The appointment of Data Protection Officers

The GDPR requires public authorities processing personal information to appoint a data protection officer (DPO), as well as other entities, when “core activities” require “regular and systematic monitoring of data subjects on a large scale” or consist of “processing on a large scale of special categories of data.”


This is a new role, clearly designated by the EU GDPR.

6. The GDPR introduces mandatory assessments.

Data Protection Impact Assessments (DPIAs) are designed to demonstrate GDPR compliance. During a DPIA, an organization is required to describe the processing, assess the necessity, and proportionality of a processing and to help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data.

Tip: DPIAs are important tools for accountability.

7. GDPR expands liability beyond data controllers.

Previously, only data controllers were considered responsible for data processing actives. Under GDPR, the liability to comply extends to all organizations that collect personal data.

 

8. The GDPR introduces the right to be forgotten.

Among the data handling principles, are a requirement to not hold the data for any longer than absolutely necessary, not retroactively change the purpose of the data from what it was originally collected. Data subjects also have the right to request the deletion of their data.

 
9. GDPR expands liability beyond data controllers.

Previously, only data controllers were considered responsible for data processing actives. Under GDPR, the liability to comply extends to all organizations that collect personal data.

10. The GDPR requires privacy by design.

Intended privacy has to be included in all software, systems, and processes by design. In the future, all software will have the ability to completely erase data – but until that day comes, IT leaders must strategize a way to protect, locate, and easily manipulate the personal data of their end users.

“We’re all going to have to change how we think about data protection.” UK Information Commissioner Elizabeth Denham states. Going forward, organizations must be committed to managing data sensitively and ethically, or face grave penalties. Approach the GDPR as an opportunity to regulate the management of sensitive data, and use an Enterprise Architecture view to prepare for the GDPR legislation.