What is GDPR?

The General Data Protection Regulation (GDPR) is a European Union (EU) regulation, which replaces the 1995 EU Data Protection Directive (Directive 95/46/EC). The GDPR is intended to harmonize the patchwork of data privacy laws across its member states by enhancing the protection of the personal data of EU citizens and increasing the obligations of organizations who collect or process personal data. GDPR comes into force on May 25, 2018. The new regulations modernize the principles laid out in the 1995 Data Protection Directive, which was written before the advent of social media, “smart” mobile devices and various applications that have the ability to track and store users’ geolocation information.

GDPR is considered to be the most ambitious and comprehensive changes to data protection rules around the world in the last 20 years. The full text of the GDPR can be found here.

The concept of accountability is at the heart of the GDPR rules: it means that organizations will need to be able to demonstrate that they have analyzed the GDPR’s requirements in relation to their processing of personal data and have implemented a system or program that allows them to achieve compliance. This is exactly what Protege Biomedical has been doing over the past several months. Protege Biomedical is fully committed to complying with GDPR directives and has used the new law as an opportunity to build a stronger data protection foundation to benefit our employees and customers.


What are some of the key elements and changes to the law under GDPR?

In sum: a lot. Here are some of the key changes:

  • Broad definition of “personal data”. GDPR defines personal data broadly as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” Under this definition, nearly ALL information about a EU resident is personal data–including, for example, names, ages, email addresses, online identifiers and location data, IP addresses and mobile device IDs, and cookies.

  • Obtaining consent. Explicit consent by a “clear affirmative act” will be required, as opposed to a soft opt-in. Formerly used methods such as pre-ticked boxes, silence, or inactivity will not constitute consent. Consent records must be maintained so they can be presented if you are challenged. Therefore, systems design changes may be necessary to provide evidence that a person consented to a specific use of their personal data.

  • Extra-territorial scope. The rules, at least for now, state they apply to all persons or companies who handle personal data of EU residents, regardless of whether or not they reside in the EU.

  • Right to be forgotten. Under the GDPR, a “data subject” has the right to be forgotten, meaning that his or her personal data must be erased upon request, and no longer processed where the personal data is no longer necessary to the purposes for which it was collected.

  • Right to access. A data subject has the right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. The controller is required to provide a copy of the personal data, free of charge, in an electronic format.

  • Data portability. A data subject has the right to receive the personal data concerning them, which they have previously provided in a “commonly used and machine readable format” and have the right to transmit that data to another controller.

  • Breach notification. Breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals.” This must be done within 72 hours of first becoming aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.

 

What is Protege Biomedical doing to prepare for GDPR?

Keeping your data safe, increasing transparency and investing the necessary time and resources with the goal of becoming GDPR compliant is a top priority at Protege Biomedical. Like many other software companies, we are implementing our company-wide GDPR compliance strategy leading up to May 25, 2018 and beyond. We appreciate that our customers have requirements under GDPR that are directly impacted by their use of Protege Biomedical, and we are committed to helping our customers fulfill their requirements under GDPR.

Below are a few examples of initiatives we have committed to in order to satisfy GDPR requirements that apply to both our customers and us:

  • Updating several legal agreements in conjunction with our GDPR compliance efforts. A sample of these include our Terms of Service, Privacy Policy that detail users’ rights in conjunction with using Protege Biomedical services. Our updated Privacy Policy is designed to make it easier for users to understand what information Protege Biomedical collects, why we collect it, how we use and store it, and when and with whom we share it.

  • Applying GDPR standards to all data, not just EU personal data. As previously noted, Protege Biomedical has used GDPR to educate our teams on the heightened standards under this new law in an effort to build a comprehensive privacy and data security program across our entire platform.

  • Committing to carrying out data impact assessments and consulting with EU regulators where appropriate.

 

Protege Biomedical has invested a considerable amount of time, money and resources as part of our commitment to GDPR. We recognize the importance of protecting our customers’ data and want to be an industry leader in this regard. Protege Biomedical values the trust of our customers and business partners above all else and will continuously strive to protect your data.

 

Additional resources: