General Data Protection Regulation (GDPR)
Changes in technology have created new data security challenges, and many countries see the need for updated regulations to control data being shared with companies, between devices and across applications. Because of this, hackers are updating their strategies to keep up with new technology, and businesses need to stay one step ahead to avoid breaches.
The European Union sought to address potential threats to personal information by enacting the General Data Protection Regulation (GDPR).
Even if your company doesn’t have a physical location in the EU, the GDPR likely affects you, and you may need to make some changes to your policies to avoid being subject to penalties.
What is the GDPR?
The General Data Protection Regulation was put in place by the EU on May 25th, 2018 with the goal of improving the “digital rights” of EU citizens. The new regulations standardize data protection legislation and update protection laws to address changes in the way personal data is being used and prevent it from being exploited.
According to the European Commission, personal data is “any information relating to an individual, whether it relates to his or her private, professional or public life.” This includes, but is not limited to:
- Personal ID numbers
- IP addresses
- Website cookie data
- Locations shared with websites
- Health and medical details
- Genetic and biometric data
- Race, ethnicity and sexual orientation
- Political affiliations
- Social media posts
The protocols put in place by the GDPR outline how companies and organizations are to manage the way these types of data are collected, processed and transferred.
What are the Key Changes of the GDPR?
The biggest change you need to be aware of is the extended coverage the GDPR provides for the digital rights of EU citizens. Regulations apply not only to companies in the EU but also to all other companies handling the personal data of EU citizens.
What does this mean for businesses based in other countries?
If you collect data from an EU citizen at a time when he or she is located in the EU, you’re required to comply with GDPR regulations.
This applies not only to making sales but also to any other transactions in which information is collected or processed. You’re also subject to the GDPR if your marketing materials cater to a target audience in the EU.
Other changes include regulations relating directly to digital rights and how breaches are to be handled:
- Breach notification requires information on data breaches, including the number of EU citizens impacted, to be reported to supervising authorities within 72 hours of discovery
- Right to access gives EU citizens the freedom to access the personal data you’ve collected and get detailed information on how it’s being used
- Right to be forgotten grants the right for users to request their information be completely erased if it no longer needs to be used
- Data portability dictates users must have easy access to their own data and the ability to freely copy it from one system to another
- Privacy by design and default requires you to include data protection as part of regular business processes
In addition to these rights and regulations, you must obtain “explicit consent” from all EU citizens for each way data will be used and processed. This includes data collected in the past, meaning you must provide updated opt-in options.
Certain businesses and organizations must also assign a Data Protection Officer (DPO). According to Digital Guardian, the job of a DPO is to “oversee data protection [strategies] and implementation to ensure compliance with GDPR requirements.” Your company needs a DPO if:
- You have more than 250 employees
- You regularly monitor a large amount of data from EU citizens
- You handle “special categories of personal data,” such as race or ethnicity
These changes lay out guidelines for lawful data processing to protect the interests of EU citizens when their personal information is collected and shared. If you’re already following current standards for data security, chances are you’re well on your way to being in compliance with the GDPR.
Implications of the GDPR
The inclusion of companies with EU markets and “localized web content” in GDPR regulations impacts “U.S.-based hospitality, travel, software services and e-commerce companies” the most, according to Forbes, and requires these businesses to “take a closer look at their online marketing practices.”
If your business falls into any of these categories or caters to companies in the EU, you may need to make changes in the ways you ask customers for consent to use personal data. Consent must be “freely given, specific, informed and unambiguous” for data use to comply with the GDPR, meaning details on how information will be processed must be presented to customers at the point when such information is collected. Linking to a separate terms and conditions page isn’t enough, nor is having a single opt-in box if data will be processed in multiple ways or used by third-party affiliates.
GDPR regulations for breaches cover the “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data [of EU citizens] transmitted, stored or otherwise processed.” Should such a breach occur, your company is responsible for assessing the level of risk posed to the EU subjects involved and complying with the 72-hour reporting window.
Fines and Penalties Associated with GDPR
Penalties for noncompliance with GDPR regulations are based on:
- The type and intent of an infringement
- Prior history of breaches and infringements
- The number of people affected
- Types of data involved
- How well consequences were mitigated
- Whether or not preventative measures were taken beforehand
Regulations include routine data protection audits to assess compliance, and any company found to be in violation will receive a written warning before any fines are issued. Continued failure to comply may result in fines at one of two levels:
- Up to 2 percent of global revenue for failing to fulfill any obligation associated with a data breach
- Up to 4 percent of global revenue or 20 million Euros, whichever is larger, for failing to follow processing and consent rules or failing to allow individuals free access to their own data
Related penalties may include limitations or outright bans on data processing, making it difficult to continue normal business operations and leading to loss of revenue for the duration of the ban.
A Checklist for GDPR Success
Although the GDPR includes some complex legal language and the full scope isn’t always easy to understand, ensuring your business is in compliance can be accomplished with a few straightforward steps:
- Perform an assessment of the types of data you collect and store, including how long the information is retained
- Evaluate and update the system you currently rely on to monitor the use of and access to personal data
- Improve data security across systems
- Document the “lawful basis” for how data is used and processed
- Make sure you’re able to locate data in a timely manner when responding to access requests
- Assign a DPO if your organization requires one
Adding reliable security software with comprehensive tools to your data security plan allows you to automate common tasks and provides real-time alerts when potentially malicious activities are detected. This makes it easier to monitor data and document incidents to stay in compliance with GDPR regulations. Work closely with your IT staff, security team and any other staff members involved in handling or monitoring data to bring everyone up to speed and get the whole company on board with the new guidelines.
As long as you educate employees about updates to the way you collect and handle data, create a detailed plan based on the new requirements and stick with your strategies, your business will be on target for GDPR compliance.