My previous blog post addresses the reasons for the regulation and the requirements associated with the New York State Department of Financial Services (NYDFS) 23 NYCRR 500. In this blog, I am addressing the General Data Protection Regulation (GDPR) and all the regulations that come with it.
The General Data Protection Regulation (GDPR) is a European Union (EU) regulation on data protection and privacy for all individuals within the EU. The GDPR aims to give control to individuals over their personally identifiable data and to simplify the regulatory environment for international business by unifying the regulation within the EU. It went into effect on May 25, 2018.
How GDPR is giving individuals control of their data:
GDPR applies if the data controller (an organization that collects data from EU residents), or the data processor (an organization that processes data on behalf of a data controller), or the data subject (person) is based in the EU. Under certain circumstances, the regulation also applies to organizations based outside the EU if they collect or process personal data of individuals located inside the EU.
Lawful Basis for Processing
Personal data of an individual may not be processed unless he/she has provided informed consent to it or there is a legal basis to do so.
Responsibility and accountability
It is the responsibility of the data controller to demonstrate compliance with GDPR by implementing effective measures which meet the principles of data protection, even if the processing is carried out by a data processor on behalf of the controller.
Data protection by design and by default
Data protection must be designed into the development of business processes for products and services. Privacy settings must be set at a high level by default, and technical and procedural measures should be taken by the controller to make sure that the processing, throughout the whole processing lifecycle, complies with the regulation.
Pseudonymization is the process required when personal data is stored, to transform the data in such a way that the resulting data cannot be attributed to a specific data subject without the use of additional information. An example is encryption, which renders the original data unintelligible and the process cannot be reversed without the correct decryption key.
Right of Access
EU citizens have the right to access their personal data and information about how this personal data is being processed. A data controller must provide, upon request, a copy of the actual data and inform the data subject on details about the processing, such as the purposes of the processing, with whom the data is shared, and how it acquired the data.
Right to Erasure
The data subject has the right to request erasure of personal data related to them.
Records of Processing Activities
Data processors must maintain records of processing activities that include purposes of the processing, categories involved and envisaged time limits. The records must be made available to the supervisory authority upon request.
Data Protection Officer
A data protection officer, who is a person with expert knowledge of data protection law and practices, must be designated to assist the controller or processor in monitoring their internal compliance with the Regulation.
The data controller must notify the supervisory authority and individuals within 72 hours after becoming aware of a data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of the individuals.
Non-compliance with the regulation can result in a fine up to $20 million or up to 4% of the annual worldwide turnover of the preceding financial year.
For more information on NYDFS 500 and GDPR laws and regulations on the financial services industry, please download our guide here, or click below.