In May 2018, the European Union’s revised data privacy promulgations will go into effect. The new regulation, known as General Data Protection Regulation (GDPR), has been developed over the last five years. The stated purpose of GDPR is to “…harmonize data privacy laws across Europe, protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”
The European Council is implementing GDPR to replace its previous 1995 Data Protection Directive 95/46/EC to keep up with today’s data-driven world. GDPR is constructed to give individuals additional control over their personal information by amplifying the transparency of where their personal information is going before it is processed.
Top GDPR Changes
- Extensive Territorial Scope – Any business processing personal data of individuals that reside in the EU must follow GDPR regardless of company location.
- Consent and Breach Notification – Consent for personal data processing must be unambiguously clear, easy to withdraw and in the event of any data breach, organizations must notify all individuals affected within 72 hours of learning of the breach.
- Right to Access and to be Forgotten – Data subjects must be granted a digital copy of their personal data free of charge and be given the option of requesting the deletion of their personal data if certain conditions are met.
- Data Protection Officers – All business over 250 employees will be required to have a dedicated Data Protection Officer.
- Privacy by Design – While this idea has been known for some time, it is now memorialized as a legal requisite specifying that data protection obligations must be noted from the start when fashioning information governance and management systems.
Application of GDPR
The GDPR covers all EU business – and businesses outside the EU that provide goods or services to the EU. What’s more, GDPR applies to all companies processing and holding the personal data of data subjects residing in the EU, regardless of the company’s location. Businesses located in the United Kingdom must adhere to the GDPR until the United Kingdom officially leaves the EU.
No firm connected to the above is absolved from GDPR compliance. Even businesses using cloud storage must adhere. If your organization utilizes cloud storage it must be able to pinpoint where data is located when asked and must be able to remove it if needed.
Failure to Comply
Any firm that fails to comply with the new GDPR requirements will be met with significant fines or disbandment. Monetary penalties are structured in a tiered fashion. Less serious infractions, such as administrative record keeping oversights will cost a company 2% of its annual global turnover or 10 million euros. More offenses, such as a breach of basic data protection principles, will cost up to 4% of a firm’s annual global turnover or 20 million euros, whichever is greater.
AI and GDPR
AI can play an important role in helping organizations comply with GDPR rules. A seamless cognitive layer that includes natural language processing, translation, object and facial recognition, redaction and anomaly detection can be pivotal in finding, managing and acting on personal data located within unstructured media such as audio and video. With an estimated 4 billion hours of compliance audio in the financial sector alone, it should be clear that the human-machine interface in the form of AI is required to gain ahead of and comply with GDPR.
Michael Swarz, JD is the product marketing manager of Veritone Legal and has extensive and first-hand experience with technology and software solutions for compliance, legal and related industries.