Home » Large Law » The GDPR: Enhancing Data Protection by Design | Part One of Three

The GDPR: Enhancing Data Protection by Design | Part One of Three

In just under six months, the EU’s General Data Protection Regulation (GDPR) will come into force.

On May 25th, 2018, the GDPR will replace the EU Data Protection Directive (1995) and the UK Data Protection Act (1998).  The regulation affects all EU companies that process or store personal information and companies not in the EU that process or store personal information for EU residents.  Differing from the prior regulations, the GDPR focuses on the privacy and rights of the individual.  Consumers and data subjects should have the right to know what data is held about them, as well as how it’s being stored and secured.


One Set of Rules for All the EU

The GDPR creates one set of rules for all EU member countries.  While the prior directives could be interpreted and implemented differently by each country in the EU, the new regulation provides one uniform regulation implemented across the entire EU by one supervisory authority.

Personal Data Is Redefined and Expanded.

The Data Protection Directive defined personal data as a person’s name, photo, email address, phone number, address, and personal identification numbers (SSN, credit card numbers, bank account numbers, etc.).  The GDPR expands personal data to include such things as IP addresses, mobile device identifiers, geolocation information, biometric data (finger prints, retinal scans, hand geometry, etc.).  Also included is an individual’s physical, psychological, genetic, mental, economic, cultural, or social identity.

Defined Individual Rights

The GDPR provides the following rights for individuals:

  1. The right to informed ­– companies must provide “fair processing information” to their data subjects, typically by a privacy notice.
  2. The right of access – the individual is allowed to be aware of and verify the lawfulness of how their data is being processed.
  3. The right to rectification –  the individual is allowed the right to correct their personal information if it’s inaccurate or incomplete.
  4. The right to be forgotten –  the individual has the right to request the deletion or removal of their personal data where there is no longer a compelling reason to continue to keep it.
  5. The right to restrict processing ­­– the individual is allowed to suppress processing of their information.
  6. The right to data portability – the individual is allowed to obtain and reuse their personal data for their own purposes across different services.
  7. The right to object – the individual has a right to object to how their information is being processed.
  8. Rights in relation to automated decision-making and profiling – the individual has rights to object to automated decisions made without human intervention that could be potentially damaging.


Accountability and Governance

The accountability principle in article 5(2) requires that companies demonstrate that they comply with the principles of the GDPR and explicitly states that this is their responsibility.  This means that you need to implement appropriate technical and operational measures that ensure and demonstrate compliance across your organization. This can include HR policies, staff training, internal audits, etc.

In future posts, we will go into more detail on various aspects of GDPR and explore how InterAction® customer relationship management software can help you in your compliance efforts, ensuring that data protection is done by design, not as an afterthought.

Be sure to contact your InterAction Account Manager for an exclusive invitation to our webinar series covering how InterAction tools can be used to execute GDPR compliance plans.

Facebook Twitter Pinterest Plusone Linkedin Digg Delicious Reddit Stumbleupon Tumblr Posterous Email Snailmail

About John Burns

John Burns
John Burns is a Product Manager for InterAction.  Prior to joining LexisNexis in 2013, John founded, owned, and operated several successful small businesses, ranging from Data Center and Web Hosting to retail. John also held lead IT positions at US Bank and Key Bank, where he worked on customer-facing systems including, Bankcards, ATMs and 24x7 customer service.  Originally from Oregon, John attended Oregon State University and Portland State University.