Bulletin 1: Overview of the EU General Data Protection Regulation (GDPR)

IEEE Technical Activities Bulletin #1
Topic: Overview of the EU General Data Protection Regulation (GDPR)
Bulletin Type: Informational
Audience: All
Version 1, 13 June 2018
Welcome to Technical Activities GDPR Bulletins
This is the first Bulletin in a series that you will receive regarding your role in General Data Protection Regulation (GDPR) compliance. This first Bulletin provides background information on GDPR. Future Bulletins will provide specific details on steps you need take in order to comply with GDPR.
What is GDPR?
The General Data Protection Regulation (GDPR) is a regulation by European Union (EU) authorities to strengthen and unify data protection for EU citizens and individuals within the European Union (EU). The primary aim of GDPR is to give EU citizens and residents control over their personal data. GDPR went into effect 25 May 2018.  
What do I need to know about GDPR?
GDPR protects the personal data of individuals.  Examples may include name, email address, IP address, and photo. IEEE is
an international organization that, in some cases, collects, stores, and processes personal data of EU citizens.  As a result, IEEE may be subject to GDPR. Some of the core tenants of GDPR are: 
  • Consent: Use of personal data may now require consent from individuals prior to processing.
  • Right to Access/Data Portability: If requested, IEEE’s Data Protection Officer (DPO) must provide individuals who request a copy of their personal data in a commonly used and machine-readable electronic format.
  • Right to be Forgotten: Individuals may require IEEE to erase their personal information from databases, unless there are legal requirements where IEEE must retain this information or other exceptions exist. 
  • Breach Notification: Data breaches must be reported to regulatory authorities within 72 hours of first becoming aware of the breach.
  • Privacy and Data Considerations: Systems must be designed with privacy in mind from the outset.
As a standard practice, organizations should only collect and process the data necessary for the completion of their duties and limit access to only those needing this information.
What does “Consent” mean under GDPR?
One of the fundamental changes introduced by GDPR is the need for organizations to obtain consent from individuals prior to processing personal data in certain situations.  Elements of consent include:
  • Opt-in: Consent must be opt-in; implied consent or opt-out is no longer viable. 
  • Unambiguous: Consent to use personal data must be “freely given, specific, informed, and unambiguous”.
  • Clarity: Consent must be made in an intelligible and easily accessible form where legalese terms and conditions are not acceptable.
  • Sharing: If personal data will be shared with third parties it must be disclosed to the individual in order to gain effective consent.
  • Withdrawn: Consent must be as easy to withdraw as it is to give.
What happens if there is a violation?
As a global enterprise, IEEE has taken GDPR very seriously since the regulation has significant fines and penalties if the terms are violated. 
  • Fines: May be up to 4% of annual global turnover or €20 Million, whichever is higher. 
  • Penalties: Regulatory agencies may also be permitted to enforce other penalties such as deletion of personal data and placing limitations on interactions with citizens of EU member states. 
  • IEEE Reputation: Loss of IEEE reputation as a fair and ethical marketer. As a leading proponent of technology ethics, policy and standards, IEEE wants to maintain its high quality, leadership position.
Should you think a data incident may have occurred, please contact privacy@ieee.org.  
How can I learn more?
This is the first in a series of informational and instructional updates regarding GDPR. Look for regular updates highlighting how GDPR may affect your work with IEEE. You can also visit the Technical Activities GDPR Resource Page or the IEEE GDPR page
Please forward this email to your IEEE colleagues who handle personal data, newsletter/email distributions, websites, or other activities that fall under GDPR.
What’s Next? Bulletin #2 will focus on Handling Data Breaches

[Download PDF]