General Data Protection Regulation
The content below is general information on European Union data privacy and the GDPR, and is not an exhaustive or complete summary, nor is it legal advice for your company.
We compiled this content to serve as helpful background information on an important topic. We recommend that you consult with an attorney if you are looking for legal advice, or if you’d like help applying this information to your company’s specific situation.
What is the GDPR?
Many are calling it the largest change in data privacy law in 20 years. The EU is calling it the General Data Protection Regulation. What we know for sure is that it is a new EU Regulation that significantly strengthens the protection of personal data of EU citizens and personal data collected within the EU. It expands many of the requirements of the previous EU data protection framework (the 1995 EU Data Protection Directive). The GDPR took effect on May 25, 2018.
Who is affected?
The GDPR significantly widens the scope of EU data protection law. Any organization that processes personal data of EU individuals is within the scope of the law, regardless of whether the organization has a physical presence in the EU. Importantly, under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”), such as names, email address and other personally identifying information. This definition also extends to technical information, such as an IP addresses or device identifiers. “Processing” under the GDPR means collection, storage, transfer, or use.
Is it good or bad for businesses?
The GDPR makes compliance with EU data protection law more predictable because it provides for harmonization of data protection requirements across the EU – as opposed to the current regulations, which have resulted in a sort of patchwork of laws across all EU member states. The GDPR also makes compliance easier because the law was updated with the current state of technology in mind. The previous regulation is over 20 years old. Things have changed quite a bit since then, leaving various gaps when overlaying the law over current technology and complex international data flows and business processes. The GDPR aims to close many of those gaps.
Is EU data storage required for EU personal data under GDPR?
Absolutely not. The GDPR does not require that EU personal data be stored in the EU, and does not introduce any new restrictions on transferring EU personal data outside of the EU. PI clients can continue to rely on PI’s EU-US and Switzerland-US Privacy Shield Certifications, and where applicable, EU Standard Contractual Clauses to legally transfer EU personal data to PI in the US.
What clients should do
ADVISA will continue to focus on bringing you the best service, support, and consulting possible throughout ongoing changes with data privacy.
As a result of the Global Data Protection Regulation taking effect, ADVISA has lost the ability to view your PI database.
Enabling ADVISA (a third party) to access your PI data allows us to continue to consult, problem-solve, and help you troubleshoot the software as we always have.
We recommend you take the following steps:
- Log in to your account here.
- Select the Admin feature (gear icon) in the upper right-hand corner.
- Choose “Third Party External Users” to the left.
- Select “enable” next to your PI Certified Partner’s name – Select All.
If you have questions, please reach out to Leslie Phillips or Matt Roberts at 317-574-1550. We are here to help make this as smooth and easy as possible, and to keep your company’s data safe.
The European Commission has provided a list of new obligations that companies will face under the GDPR. While not exhaustive, and geared primarily towards smaller companies, this list provides an effective starting point to thinking about your GDPR obligations:
Protect the right of people giving you their data
- Communication: Tell data subjects in plain language who you are when you request the data, why you are processing their data, how long it will be stored, and who receives it.
- Consent: Get their clear consent to process the data.
- Access and Portability: Let people access their data and give it to another company.
- Warnings: Inform people of data breaches if there is a serious risk to them.
- Erase Data: Give people the ‘right to be forgotten.’ Erase their personal data if they ask, but only if it doesn’t compromise freedom of expression or the ability to research.
- Profiling: If you use profiling to process applications for legally-binding agreements like loans, there are specific responsibilities in the GDPR that you should become familiar with.
- Marketing: Give people the right to opt out of direct marketing that uses their data.
- Safeguarding sensitive data: Use extra safeguards for information on health, race, sexual orientation, religion and political beliefs.
- Data Transfers outside of the EU: Make legal arrangements when you transfer data to countries that have not been approved by the EU authorities.
Do data protection by design
Build data protection safeguards into your products and services from the earliest stages of development.
Check if you need a data protection officer
This is not always obligatory. It depends on the type and amount of data you collect, whether processing is your main business and if you do it on a large scale.
Review GDPR-specific record keeping requirements.
Anticipate with impact assessments
Impact assessments may be required for HIGH-RISK processing.
A Few Areas PI Clients May Wish to Consider:
- Information and Consent: Are you providing adequate information about use of personal data and obtaining proper consent from your assessment-takers (“data subjects”)?
- Data Retention: Have you considered how long you may keep data?
- Data Subject Requests: Do you have a process in place to address requests from data subjects?
Please contact us if you have further questions, comments or suggestions. If you wish to contact PI’s Privacy Team directly, they can be reached at firstname.lastname@example.org