It has been a big last couple of years for the European Union in the political and business spectrums; what with Brexit and changes to the cybersecurity paradigm. The latter, in particular, will see even bigger changes once the European Union’s General Data Protection Regulation (GDPR) becomes instantiated into law. The scope of this initiative is as broad as it comes, and will alter how business is done in technology, cybersecurity, marketing and even human resources.
What’s the Big Deal with GDPR?
First of all; there’s the sheer scope of the security law. GDPR lists 99 new rules geared towards the protection of global privacy rights regarding the data privacy of EU citizens. This is especially prescient in this day and age, given the recent fiasco with the American NSA regarding the data that former employee Edward Snowden uncovered. Here’s a quick rundown of some of the most important of these developments contained in GDPR:
- Restrictions on the collection, retention and processing of specified types of data, with an eye towards minors, in particular
- Establishes and imposes penalties against the noncompliant – which can consist of either 4% of total annual revenue, with a 20 million pound cap
- Ensures that business operations incorporate privacy protections into all facets of information transfer and storage
- Requires that companies are held accountable for data theft and breaches in security
- Establishes time-sensitive guidelines for the reporting of security breaches
- Limits the parameters in within which companies and organizations can store, process and share the data of EU citizens
- Promotes every EU citizen’s right to have their personal data completely eradicated from all company servers – known as “absolute rights”
There’s also some information in GDPR on how exactly “personal data” is defined; furthermore, the scope of this data has been broadened to protect citizens.
The Necessity of GDPR
Because data is so inextricably intertwined in your everyday life, data is more important than ever. Because of this new digital era, the world is essentially flat in the virtual arena; which just means that we are connected to such an extent that there are almost no more geographical limitations. This connection is why the European Commission established the GDPR in 2016; so that citizens of the EU could retain greater control over their personal data in light of real dangers such as identity theft.
The 28 member states of the EU have mandated that all businesses within their jurisdiction that previously adopted the provisions of the 95/46/EC EU Data Protection Directive, switch to the much more comprehensive GDPR.
The guidelines of this initiative make it easy to figure out its range of applicability. Taking a wide lens approach first, GDPR applies to any business within the confines of the member states, as well as those outside of the borders, that conduct business with EU citizens. The deadline for ensuring compliance is May 25th, 2018; if you are involved in a company or organization that collects, stores, transfers or processes the personal information of any EU citizen, then you are subject to GDPR guidelines. The following are examples of the types of data that compel you to adhere to the strictures of the GDPR:
- Phone number
- Email address
- Identification numbers – such as SSN or EIN equivalents
- Home address
- Date of birth
- Genetic information
- Biometric details
- Identifiable health information
- Criminal data
- Religious Belief
- Sexual orientation
- Union membership
- Political affiliation
If you’re a business that deals with anonymous or non-identifiable data, then this aspect of your business is not covered by the GDPR – as long as the information is encrypted or cannot be used to identify the specific person.
The People Have Power Over the Use of Their Personal Data
GDPR takes measures to ensure that EU citizens have individual rights exceeding any claims made by any company that deals with collecting, processing or storing their data; as such, there are guidelines that cover how an organization should properly track all such information in order to facilitate compliance checks.
This compliance process begins with full disclosure from the company regarding how they will use your data once it is collected. It is incumbent on the organization to make sure that all the privacy notices that oversee consumer data are easy to read and understand. Furthermore, if an EU citizen ever wants to op out, you must provide an easy and straightforward way for them to do so. It is, essentially, a right to erasure without undue delay.
The latter part is why tracking is so essential; if the data you collect does not have tracking algorithms in place, how will you be able to locate consumer info? The GDPR levies large fines for noncompliance; this is intended to be an incentive for companies to adhere to its strictures from the very beginning. To really ensure that your company has it all together, it’s best to consider a Data Protection Officer (DPO) to oversee your compliance efforts for GDPR.
Maintenance of the Prescribed Data Safety Protocols
Given the indelible relationship that data security has with privacy, it is instructive to understand a course of action in the event of an information breach. First of all, if EU citizen data is illegally accessed, there may be a big fine to levy; much of this is predicated on any non-compliance issues that contributed to the breach.
To understand what you’re responsible for, make sure you design a privacy-centric system that involves training employees on security awareness if they are anywhere along the pipeline of data collection, transfer and storage. It helps to conduct regular exams testing the data security system you have in place, and put into practice mechanisms for proving that these practices are actually in compliance. This could necessitate the hiring of outside contractors who specialize in data security. Lastly, should a breach occur, you are compelled to notify the appropriate authorities – as outlined in GDPR – of this breach within 72 hours.