The clock is ticking. The European General Data Protection Regulation (short: "GDPR") will come into force in May 2018 and Israeli companies need to ensure that they comply with the new laws on data protection and privacy. This bulletin outlines the ten most critical steps that should be taken in preparation for the GDPR.
What is the GDPR?
ERM has summarised the changes that the GDPR will bring, and how they will apply to Israeli businesses, in two previous bulletins (January and August 2016). In a nutshell, though, the GDPR aims to strengthen the rights of data subjects residing in the European Union, and to harmonize the data protection laws of the EU member states.
"Personal Data" can be any information which relates to an identified or an identifiable natural person. It can be a person's name, photo, email address, bank details, medical information, or even IP addresses or device identifiers.
One way by which the GDPR intends to ensure strengthened privacy rights of data subjects is by introducing significant fines for non-compliance, which can amount to up to 4% of the global annual turnover, or 20 million, whichever is greater.
10 Steps to Take Now
Now is the time for an organisation to review its current practices and evaluate whether it is or may be subject to the GDPR. The GDPR will apply even to those data collectors and processors without any establishment in the EU, if they process data of EU residents in connection with offering goods or services. In addition, the GDPR will also apply to a data controller that monitors the behaviour of individuals within the EU. "Monitoring" may include, for example, profiling of EU data subjects to analyse or predict the data subject's personal preferences or behaviours.
Revise Structure and Responsibility in the Organisation
The heightened obligations under the GDPR, together with the significant fines for noncompliance, require that data protection not only becomes the management's responsibility, but is also brought to the attention of the entire organisation. Such general awareness can be created through data protection guidelines and a detailed regulation of internal responsibilities. Further, an entity with 250 or more employees, or whose core activities regarding data processing consist of a regular and systematic monitoring of EU data subjects, needs to appoint a data protection officer who has sufficient knowledge of data protection law and practices.