What You Need to Know About the General Data Protection Regulation (GDPR)
With more and more businesses being hacked on a daily basis and the recent revelation of Facebook data being acquired by Cambridge Analytica without users’ implicit knowledge, people are increasingly more aware and concerned about how their personal data is being handled. And research shows that the costs of data breaches for businesses will reach over $2 trillion by 2019. This is why it’s important for all businesses to stay up to date with current developments in privacy laws and any future regulations that might follow.
The General Data Protection Regulation, also known as the GDPR. It is a privacy law that was officially approved by the European Commission in April 2016 and will officially become effective and enforced on Friday, May 25, 2018. This new law concerns the collection and usage of the personal data of European Union citizens. Its main purpose is to strengthen current EU data protection law and bring it up to date by regulating how companies and individuals globally can acquire, manage, use, store, and dispose of personal data. This will help to establish a global understanding of privacy as a being a human right.
The GDPR will replace an older privacy directive from 1995 and will not only expand in scope, but it will also expand the definition of what personal and sensitive information is, as well as expand the individual rights of EU citizens concerning their data. The prior directive had a narrow definition of what could be considered personal and sensitive data, as well as limited individual rights and looser consent and processing requirements. However, the directive was just as comprehensive and overarching as the soon-to-be GDPR law, with each addressing and covering all privacy issues. This is very unlike current U.S. privacy laws, of which several exist, while new ones are only created when necessary. The U.S. laws also have narrow privacy definitions compared to the broadened GDPR definitions, and do not adequately address response time to privacy data or breaches the way the GDPR does, nor do they properly address notifications for the actual individuals the personal data belongs to.
You might be wondering what this means for your business. Note that this directly affects your company if you’re currently collecting and/or using the personal data of individuals currently in the EU, regardless of what industry or sector your business is in, where your business is based, whether or not EU citizens are part of your clientele/customer base. One allowance given is this – if the EU citizens (or subjects) whose data you’ve collected or used aren’t in the EU when you collect your data from them.
The GDPR considers data processing as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
Under the GDPR, information such as IP addresses, behavioral data, location data, biometric data, financial information, and racial or ethnic origins will be defined as personal data, alongside what is already commonly considered to be personal data (such as names, social security numbers, physical addresses, email addresses, health information, etc.). Even if personal info is assigned to a false name, it can still be considered personal data if that false name can be linked in any way to any specific individual.
EU citizens will be able to ask for access to their personal data/information. They can also ask for their data to be deleted or corrected and can object to having their data used, stored or shared. Requests for data access, data erasure must be responded to within 30 days. (An allowance can be given based on the number of access requests and the complexity of those requests, in which case, requests must be responded within two months, yet businesses would still need to notify the individuals requesting access in order to explain the delay.) Privacy breaches are to be reported within 72 hours.
Businesses that don’t comply with GDPR can be fined up to 20,000,000 Euros or 4% of the global annual turnover, whichever happens to be higher.
If your business hasn’t already prepared for GDPR, you should speak with legal professionals about how to properly implement changes within your business in order to operate within the law. Even if GDPR doesn’t currently apply to your business, it could have future global implications that might generate international privacy laws that would eventually affect your business. So it might be better to apply some or all of these privacy fundamentals now so that your business will be ahead of the game (and your competitors) in the future.
For complete details and a better understand of what the GDPR requires and enforces, you can read the GDPR in full here: https://ec.europa.eu/info/law/law-topic/data-protection_en
Need assistance now with understanding something we didn’t cover about GDPR and privacy in this post? Contact us.