The European Union’s new General Data Protection Regulation (GDPR) comes online in a few months. Failure to meet the new regulations could mean fines up to 4% of a company’s global turnover or 20,000,000 EUR, whichever is higher. It’s no surprise that many organizations are nervous about compliance.
At its core, the GDPR is about protecting the rights of individuals with regards to their data. According to the regulations, individuals own the data being collected from them and have the right to make decisions on how it is used or distributed. This personal data includes an individual’s name, home address, images, bank details, social networking posts, medication information, IP addresses, mobile device ID, and data collected through the IoT.
Who has to be prepared to comply?
The short answer is any organization that is collecting and storing information—through web campaigns, visitor check-ins, video surveillance, license plate recognition, etc.—in the EU will be affected by the GDPR. Not only will this impact EU-based organizations, but also any other organization that might process transactions or collects any type of data from EU residents.
More specifically, the EU has stated that data controllers, namely organization that collect personal data for their own use, and data processors, organizations that process personal data, will be impacted by the GDPR.
Are you a data controller or processor?
According to Article 4 of the EU GDPR, different roles are identified as indicated below:
- Controller – “means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”
- Processor – “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”
Under the regulation, both parties are jointly responsible for complying with the new rules. This means that anyone collecting, managing, modifying, storing, or analyzing personal data can be subject to the steep fines if they don’t comply with the regulations. However, for the first time, GDPR introduces direct obligations for data processors, whereas the current regulation only holds data controllers liable for data protection noncompliance. Processors will also now be subject to penalties and civil claims.
How does this impact your organization?
Consider a single individual entering a facility. If the facility uses license plate recognition to allow access, even before walking through the front door, an individual’s license plate credentials have been read. This information can then be used at reception and connected to the individual’s ID. The company in this case is the data controller. It is the controller’s responsibility to ensure that the data is protected and that individuals consent to having their data gathered by opting-in. Now multiply that by all the individuals coming in and out of that facility on a daily, monthly, or yearly basis.
If any of the individuals require access to that data, the facility must have the right tools in place to meet these requests. Further, the individual also has the right to be forgotten (meaning their personal information will be removed from the system), the right to be notified of a data breach within 72 hours, and the right to request that data not be used for processing or to stop it from being processed for direct marketing. Failure to do so means you are not in compliance and therefore liable. You're probably thinking: "What can I do to prepare for this new legislation?".
In next week's blog post, we will look at the steps you can take right now to ensure compliance with GDPR. In the meantime, learn about what the GDPR means for video surveillance.