GDPR

GDPR

What is GDPR?

The General Data Protection Regulation (GDPR) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify the data protection for all individuals within the European Union (EU). This regulation becomes effective on May 25th, 2018.
GDPR is an enhancement of the 1995 Data Protection Directive. GDPR will replace the Data Protection Directive when it becomes effective. The Directive set out the following data protection principles that govern the treatment of personal data by organizations.
Lawfulness, fairness and transparency
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject
Purpose limitation
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
Data minimization
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
Accuracy
Personal data shall be accurate and, where necessary, kept up to date
Storage limitation
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
Integrity and confidentiality
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures
Accountability
The controller shall be responsible for, and be able to demonstrate compliance with the GDPR

Who and what does GDPR apply to?

The short answer is: everyone, in one way or another. GDPR was created to protect EU Data Subjects–any EU citizens, regardless of their physical presence in the EU. Personal data as is covered by GDPR is any information related to a person that can be used to identify the person including, but not limited to:
  • Name
  • Photo
  • Email address
  • Banking information
  • Social media posts
  • Medical information
  • Computer IP address
**Data that is fully anonymized does not fall under the jurisdiction of GDPR. If the data cannot be tied to a living, natural EU citizen, it is excluded from the GDPR regulations.

3 major changes to privacy protection under GDPR

Individuals affected by the GDPR are given a host of rights when it comes to managing their private data. Below are three areas where data controllers need to be especially mindful of changes to their obligations in order to protect and not infringe upon an individual’s rights.
Right to Consent
The individual must be provided with clear, unambiguous reasons for the collection and use of their personal data. They then must consent, through a statement or clear affirmative action, to the processing of their personal data in the ways that have been clearly stated.
Right to Access
Data subjects are within their rights to request access to the data that is being stored on them. Entities may not charge for processing an access request, unless they are able to demonstrate that the cost will be excessive. The timeline for processing a request for data access is 30 days. Organization may refuse, provided clear policies and procedures are in place. They must also demonstrate why each refused request meets the criteria for refusal.
Right to be forgotten
Individuals possess the right to request any of their personal information be deleted. The right to be forgotten requires data controllers to alert downstream recipients of deletion requests. The right to data portability allows data subjects to demand a copy of their data in a common format.

Internal Requirements for GDPR

GDPR includes provisions for how organizations must store, protect, and manage the data they collect. Organizations are required to build in data privacy by design when developing new systems, to ensure compliance with GDPR. Also of note is the Data Privacy Impact Assessment (DPIA). DPIA is the process of considering the impact a project or initiative might have on privacy. Organizations have an obligation to perform this assessment when designing new technologies, or using existing technologies in new ways.
Some organizations will be required by GDPR to have a Data Privacy Officer (DPO) to help oversee compliance efforts. Organizations required to have a DPO are public authorities, companies whose activities involve the regular and systematic monitoring of data subjects on a large scale, and companies who process what is currently known as sensitive personal data on a large scale.
Ahead of GDPR, Privacy Notices, Statements, Terms of Service, and internal data policies will need to be reviewed for compliance to GDPR.

Scope, Accountability, and Penalties

Scope
GDPR applies to:
  • Entities within the EU
  • Non-EU businesses who market their products/services to EU Citizens
  • Non-EU businesses who monitor the behavior of EU Citizens
Accountability
GDPR requires demonstration of compliance with the supervisory authority. This accountability includes documenting processes and completing training to ensure compliance.
Penalties
Depending on the violation to the GDPR there are numerous penalties that can be enacted on the offending organization. These penalties can result in significant fines depending on the severity of the violation.

Accent’s Compliance with GDPR

Accent will ensure that the platform complies with all applicable GDPR requirements for a Data Processor. A number of changes will be made to comply and, provided you’re an Accent customer, the details of these changes will be communicated via your personal representatives on the Accent team.
Accent partners with several cloud providers for clients who have opted for cloud-hosted solutions. Below are a few of our providers’ published statements regarding their commitment to GDPR compliance as data processors.
Google Cloud GDPR FAQs
Amazon AWS GDPR FAQs
Microsoft Azure GDPR FAQs

Need more information?

If you’re an existing Accent customer and have further questions about Accent and GDPR compliance, please connect with your customer success manager.

Disclaimer

This overview is intended to provide background information to help better understand GDPR and Accent’s compliance with these requirements. This overview does not constitute as legal advice for your company to use in complying with EU data privacy laws like the GDPR. This information is not the same as legal advice, where an attorney applies the law to your specific circumstances. This overview is not legal advice or legal recommendations.
Please consult an attorney if you require advice on your company’s interpretation of this information or its accuracy.

Send this to a friend