Who and what does GDPR apply to?
The short answer is: everyone, in one way or another. GDPR was created to protect EU Data Subjects–any EU citizens, regardless of their physical presence in the EU. Personal data as is covered by GDPR is any information related to a person that can be used to identify the person including, but not limited to:
Social media posts
Computer IP address
**Data that is fully anonymized does not fall under the jurisdiction of GDPR. If the data cannot be tied to a living, natural EU citizen, it is excluded from the GDPR regulations.
3 major changes to privacy protection under GDPR
Individuals affected by the GDPR are given a host of rights when it comes to managing their private data. Below are three areas where data controllers need to be especially mindful of changes to their obligations in order to protect and not infringe upon an individual’s rights.
Right to Consent
The individual must be provided with clear, unambiguous reasons for the collection and use of their personal data. They then must consent, through a statement or clear affirmative action, to the processing of their personal data in the ways that have been clearly stated.
Right to Access
Data subjects are within their rights to request access to the data that is being stored on them. Entities may not charge for processing an access request, unless they are able to demonstrate that the cost will be excessive. The timeline for processing a request for data access is 30 days. Organization may refuse, provided clear policies and procedures are in place. They must also demonstrate why each refused request meets the criteria for refusal.
Right to be forgotten
Individuals possess the right to request any of their personal information be deleted. The right to be forgotten requires data controllers to alert downstream recipients of deletion requests. The right to data portability allows data subjects to demand a copy of their data in a common format.
Internal Requirements for GDPR
GDPR includes provisions for how organizations must store, protect, and manage the data they collect. Organizations are required to build in data privacy by design when developing new systems, to ensure compliance with GDPR. Also of note is the Data Privacy Impact Assessment (DPIA). DPIA is the process of considering the impact a project or initiative might have on privacy. Organizations have an obligation to perform this assessment when designing new technologies, or using existing technologies in new ways.
Some organizations will be required by GDPR to have a Data Privacy Officer (DPO) to help oversee compliance efforts. Organizations required to have a DPO are public authorities, companies whose activities involve the regular and systematic monitoring of data subjects on a large scale, and companies who process what is currently known as sensitive personal data on a large scale.
Ahead of GDPR, Privacy Notices, Statements, Terms of Service, and internal data policies will need to be reviewed for compliance to GDPR.
Scope, Accountability, and Penalties
GDPR applies to:
GDPR requires demonstration of compliance with the supervisory authority. This accountability includes documenting processes and completing training to ensure compliance.
Depending on the violation to the GDPR there are numerous penalties that can be enacted on the offending organization. These penalties can result in significant fines depending on the severity of the violation.
Accent’s Compliance with GDPR
Accent will ensure that the platform complies with all applicable GDPR requirements for a Data Processor. A number of changes will be made to comply and, provided you’re an Accent customer, the details of these changes will be communicated via your personal representatives on the Accent team.
Accent partners with several cloud providers for clients who have opted for cloud-hosted solutions. Below are a few of our providers’ published statements regarding their commitment to GDPR compliance as data processors.
Need more information?
If you’re an existing Accent customer and have further questions about Accent and GDPR compliance, please connect with your customer success manager.
This overview is intended to provide background information to help better understand GDPR and Accent’s compliance with these requirements. This overview does not constitute as legal advice for your company to use in complying with EU data privacy laws like the GDPR. This information is not the same as legal advice, where an attorney applies the law to your specific circumstances. This overview is not legal advice or legal recommendations.
Please consult an attorney if you require advice on your company’s interpretation of this information or its accuracy.