An Overview of GDPR Requirements

Park Place Technologies


Chris Adams December 12, 2017

In the words of one commentator, “the GDPR protects any and all personal user data across virtually every conceivable online platform.”

The GDPR is a sweeping regulation covering nearly all data pertaining to European Union citizens. Its definition of “personal information” is broad, including data routinely collected by websites, such as IP, email, and MAC addresses. It also protects user-generated data, ranging from tweets and Facebook posts to images uploaded to online sites.

In the words of one commentator, “the GDPR protects any and all personal user data across virtually every conceivable online platform.”

Power to the People

The thrust of the GDPR is to put control over one’s own personal data back in the consumer’s hands. The regulations establishes a number of rights, which include:

  • The right to be informed one’s personal data is being collected and processed, notice of which must be provided in clear language
  • The right to demand an organization confirm that it has collected and retains one’s personal information
  • The right to access the information the organization has about the individual
  • The right to correct inaccurate or incomplete information
  • The right for a consumer to demand that their data is deleted if it is no longer necessary for the purpose for which it was collected
  • In certain cases, the right to object to the processing of data
  • The highly publicized and debated “right to be forgotten”—in other words, to have data erased if the consumer withdraws consent for data collection or objects to some aspect of its collection or processing
  • The right not to be subjected to automated decisions using personal data to evaluate work performance, credit score, conduct, or other types of life-changing judgments.

What Does the GDPR Require?

The foundation of GDPR compliances lies in making the switch from an “opt-out” to an “opt-in” approach to data collection. Organizations will need to ask for permission before collecting data and provide details about how that data will be used, stored, and protected. Even signing up for an email newsletter will need to be accompanied by appropriate permissions and notifications. Companies must:

  • State why personal data is being collected
  • Describe the information being held
  • Detail how long the data will be kept
  • Outline the technical security measures in place

Perhaps the more complicated technical feat will be to keep tabs on data collected once it’s “in the system,” so to speak. When asked by a consumer to retrieve personal information, organizations will need to be able to find it, not simply assure the consumer it’s been lost. When asked to delete personal information, that data will need to be permanently eliminated and cannot be allowed to return, such as through a restore-from-backup procedure.

The complexity may be part of the reason why companies with 250 or more employees will be expected to appoint a data protection officer (DPO) to be held accountable.

Responding to Equifax (before Equifax)—Data Breach Notification Rules

In addition to granting consumers new rights over their personal information, the GDPR also demands that all organizations handling personal data take steps to guard that data against loss, theft, or unauthorized access. What’s more, the regulation stipulates how organizations should behave if a possible security breach should occur.

Specifically, the GDPR states that any breach likely to have resulted in unauthorized data access is to be reported to oversight authorities within 72 hours. If the breach is likely to have individual privacy risk, affected individuals must be informed as well.

Action that has galled the millions of consumers suffering in recent breaches, from Equifax and Yahoo to Uber and others—namely, waiting weeks or months to reveal there was a problem—will no longer fly in the EU come May.

Some Complicated Requirements

Some of the GDPR’s provisions are more difficult to parse. For example, a new data portability requirement promises to allow individuals to transport information from one organization to another. A given company or other entity must provide the personal data in a common, machine-readable format and it’s recommended they assist with the transfer.

Among the questions about this rule are business and technical issues raised by Deloitte. They ask, “What does it mean commercially when your client can ask for a copy of all his personal data and take it to your competitor?” And also, “Are you able to provide an individual with a copy of all his personal data, can your systems handle that?”

Especially organizations collecting or processing large quantities of data or engaging with highly sensitive data, such as genetic information, may want to seek outside counsel to assist with the more difficult elements of GDPR compliance.

Chris Adams is President and COO of Park Place Technologies. Contact him at cadams@parkplacetech.com.

About the Author

Chris Adams, President and Chief Executive Officer
As President and CEO, he works side-by-side with other key leaders throughout the company managing day-to-day operations of Park Place. His key objectives include streamlining work processes and ensuring that all business initiatives and objectives are in sync. Chris focuses on key growth strategies and initiatives to improve profitability for Park Place, and is responsible for European and Asia-Pacific sales and service operations.