Since May 25, 2018, Europe has been covered by the world's strongest data protection rules. The General Data Protection Regulation (GDPR) was implemented to reform laws that protect the personal information of individuals. In today’s data-driven world, the goal of the GDPR is to provide protection for all EU citizens from privacy and data breaches. And while the key tenets of data privacy are consistent with the previous directive, the GDPR brings several changes that impact corporate responsibilities for protecting personal data and the penalties imposed when they fail to do so.
GDPR: Changes for Companies to Know
Here are some of the most significant changes GDPR brings to all companies (regardless of their location in the world) that manage the private data of EU citizens.
Increased Territorial Scope
Perhaps the most significant change GDPR brings to the regulatory landscape for data privacy is in the extended jurisdiction of the regulation. The GDPR applies to all companies that manage or process the personal data of EU citizens, regardless of the location of the company. The GDPR makes it very clear that its rules are applicable to the processing of personal data, regardless of whether the processing takes place in the EU or not.
The GDPR also brings more severe penalties than had been seen in previous regulations. While the GDPR brings a tiered approach to penalties, organizations that are found to be in breach can be fined up to 4% of annual global turnover or €20 Million, whichever is greater (this is the maximum fine and is levied for the most serious violations). Of note is the fact that these rules apply to both controllers and processors of data. This means that ‘clouds’ are subject to GDPR enforcement.
Under the GDPR, the conditions for consent have been clarified and increased. Companies can no longer use long illegible terms and conditions full of legal jargon. Now, the request for consent must be provided in an easily accessible and clearly understandable form that includes the purpose for data processing. There must also be an easy mechanism to withdraw consent.
Under the GDPR, breach notifications are required in where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. The notification must be completed within 72 hours of the organization first gaining awareness that the breach occurred. Data processors must notify their customers, the controllers, “without undue delay” once they have become aware of the data breach.
Right to Access
For data subjects, part of the extended rights the GDPR brings is in their ability to get confirmation from the data controller regarding whether their personal data is being processed. If so, where and why. In addition, the controller must present an electronic copy of the personal data, at no charge. This presents a significant shift in the empowerment of data subjects.
Data portability, introduced by the GDPR, refers to the right for a data subject to receive the personal data concerning them. This is data they previously shared in a ‘commonly used and machine readable format’. They have the right to deliver that data to another controller.
Right to be Forgotten
The Right to be Forgotten, also referred to as ‘Data Erasure’, allows the data subject to have the data controller erase his/her personal data, terminate further sharing of the data, and possibly have third parties cease processing of the data. The conditions for this include that the data is no longer relevant to initial intended purposes for processing, or that a data subject has revoked their consent.
Privacy by Design
This provision requires the inclusion of data protection from the initial engineering of systems, rather than as an add-on. Specifically, ‘The controller shall… implement appropriate technical and organizational measures… in an effective way… in order to meet the requirements of this Regulation and protect the rights of data subjects’. The GDPR requires that controllers only store and process data that is necessary for the completion of its duties (referred to as data minimization). It also limits access to personal data to those needing to conduct the processing.
Data Protection Officers
The GDPR includes stringent internal record keeping requirements. A Data Protection Officer (DPO) appointment is required for those controllers and processors whose core operations include activities which require ongoing and systematic monitoring of data subjects.
The Data Protection Officer:
Is to be appointed based on professional qualities. Specifically, their expert knowledge on the law and practices of data protection. Contact details must be provided.
Can be a staff member or externally appointed
Must be given the necessary resources to perform their tasks
Must serve as a direct report to the highest level of management
Must not have responsibility for other tasks that could lead to a conflict of interest
The Importance of GDPR Training for Employees
With the changes that the GDPR brings to data protection, it is important to make sure that your employees are aware of and properly trained. In fact, data protection experts continuously emphasize that staff training as an essential part of GDPR preparedness and compliance.
Not only does employee training decrease the risk of breaches, it also demonstrates your organization’s commitment to GDPR compliance. If, for example, your organization experienced a data breach and they had documented your employee GDPR training, this could be used to help prove that you had implemented the proper actions to prevent a data breach and were working to adhere to the regulation.
eLearning for GDPR Changes and Training
eLearning reduces, or even eliminates, some of the high costs associated with in-person, classroom-based training, such as travel, venue fees, on-site instructor fees, catering, and the distribution of printed training materials. And with eLearning, there is no lost productivity cost as your employees can conduct their GDPR training during work breaks or after hours.
eLearning offers an element of convenience that your employees will appreciate as they can conduct their GDPR training activities at any time and from any place that offers Internet access. And in fact, many eLearning activities can even be conducted offline.
One of the most challenging aspects of classroom-based training is that all of your employees must learn at the pace set by the instructor. With eLearning, on the other hand, employees can learn at their own pace and can even revisit challenging or important content multiple times before moving on to the next learning section.
Communication and Collaboration
Many eLearning platforms now include tools that allow for online communication among students or between students and instructors. These tools help to create a more productive learning environment and can offer a streamlined way to collect user feedback.
eLearning allows for easy and immediate access to important data regarding program engagement and success. The analysis of this data can be extremely valuable as you look to revise, expand, and improve your GDPR training program over time.
LMS Portals: eLearning for GDPR Changes
LMS Portals provides a cloud-based platform that allows you to run GDPR training on your own branded eLearning portal. Use the LMS Portal platform to easily develop and deliver classes to instruct your employees on the GDPR changes and how they impact your organization and specific job duties or your staff.
Contact us to discuss running your Employee GDPR Training
on your own branded portal.