In 2012, the European Commission proposed new regulations on data protection that would supersede the national laws of the 28 EU member states. It was formally approved in April this year, and it will go into effect May 25, 2018.
This General Data Protection Regulation (GDPR) introduces several major changes that will impact many organizations worldwide.
The smart move is to familiarize yourself with the incoming regulation now, and begin preparing to comply with your obligations. The GDPR will apply to any business that operates within the EU, but also any company that processes data from EU citizens. It doesn’t matter where the organization is located.
Personal data and consent
The GDPR applies to personal data, but the definition of that data has been significantly broadened compared to former legislation. Customer lists and contact details will obviously fall within it, but even online identifiers such as IP addresses could be defined as personal data under this new regulation.
The rules of consent are also changing.
Before companies can process any personal data, they must explicitly obtain clear and affirmative consent. It cannot be presumed due to silence or inactivity on the customer’s part. For children under the age of 16, parental consent must be obtained, though EU member states have the right to lower the age to 13.
Privacy by design, DPO and risk assessments
Systems and processes related to data collection must be designed with privacy in mind from the outset. The GDPR stipulates that organizations should only collect the data they need to fulfil specific purposes and that they can’t keep it for any longer than is strictly necessary.
For public authorities, and companies processing large amounts of special categories of personal data, the appointment of a data protection officer (DPO) is mandatory. Organizations will be expected to hire someone who has real expertise and knowledge of the latest laws and practices.
It’s also going to be mandatory to conduct privacy risk-impact assessments to analyze the risk of data breaches and take steps to minimize it.
Transparency and data breach notifications
When a data breach occurs, organizations must report it within 72 hours initially to the protection authority. However, if there’s a big risk to customers, then customers must be notified, too.
Transparency is at the heart of the legislation, so companies will be expected to maintain a clear audit trail and justify the security decisions they make surrounding data.
Rights for individuals
There’s a series of rights that individuals have under the GDPR. In addition to the right to be informed about breaches, they also have the right of access, so they can request a copy of personal data in a format that’s accessible for them.
There are also rights pertaining to rectification, erasure and data portability. Individuals will even have the right to restrict processing and challenge automated decision making and profiling. There are a lot of details expanding on these rights and when they can be enacted, but that’s beyond the scope of this article.
It’s not yet clear how strictly they’ll be enforced and adjudicated, but organizations should take the time to ensure that they’re in compliance.
Penalties are substantial
If you’re still wondering why you should care about the GDPR, then consider that any organization found to have breached the regulation can be fined up to 4 percent of annual global turnover or 20 million euros ($21.7 million). It’s worth noting that’s turnover they’re talking about, not profit, and that fines will be whichever amount is larger.
The GDPR is designed to protect EU citizens, but it will also help organizations to mitigate the risk of a data breach, which can only be a positive thing.
The average cost of a data breach now stands at $4 million, according to the 2016 Ponemon Cost of Data Breach Study. A hefty fine on top could be enough to put you out of business permanently.
You can review the full GDPR legislation for yourself, but it’s a lengthy document packed with legalese. It may be easier and more effective to seek out some security expertise and work out a solid strategy for compliance.
The opinions expressed in this Blog are those of Michelle Drolet and do not necessarily represent those of the IDG Communications, Inc., its parent, subsidiary or affiliated companies.
This article is published as part of the IDG Contributor Network. Want to Join?