Are you ready for the General Data Protection Regulation (GDPR)? It starts soon, which means that every entity that process personal information needs to be ready for it. If you aren't aware of what the GDPR is all about, you're in luck. This article will cover everything you need to know about general data protection regulations. We'll also give you a glimpse into what GDPR actually is and if it applies to you or not. We're even going to discuss how it affects data processing and what your business can do to comply.
What is the GDPR?
The General Data Protection Regulation (GDPR) will go into effect all across Europe on May 25, 2018. But what does that mean? The GDPR states that any entity that processes personal information has to follow the principles stated in the regulation. These upcoming changes redefine data protection and the very concept of personal data. Data processing will become transparent and controllable by BOTH parties.
In general, the collection and use of data must be fair. This means that now the consumer has control over their data and how companies use it. The GDPR protects all data from misuse and security breaches, this also depends on the sensitivity of the data itself.
So why should U.S. companies care?
Here's the thing, unlike Europe, U.S. laws and regulations tend to favor business over the consumer. The General Data Protection Regulation's charter states that "The protection of natural persons in relation to the processing of personal data is a fundamental right." The GDPR hopes to pave the way globally with a broad, comprehensive law that implements steep fines whenever there is a breach of the GDPR's policies.
But how does it really affect American businesses?
The General Data Protection Regulation charter recognizes that data can travel well beyond European borders, so it provides protection to citizens no matter where their data travels, ie. the U.S. This means that ANY company that has a database that includes EU citizens must adhere to these new regulations. As a result, businesses of all sizes will feel the effects. And in order to comply, American companies can either block EU users altogether or they can have processes in place to ensure compliance.
What the GDPR Entails...
Essentially the GDPR aims to protect user data in about every way possible. It operates with an understanding that data collection and processing is what most businesses run on. But at the same time, it strives to protect that data as a way to give the consumer ultimate control of what actually happens to it. So, in order to be GDPR-compliant, a company must handle consumer data carefully while providing consumers ways to control, monitor and check their data.
It also means that consumers can delete any of their information whenever they want to. Companies that want to stay in compliance must implement certain actions to ensure that data remains protected. To comply with this requirement, GDPR promotes pseudonymization, anonymization, and encryption.
- Anonymization - this is the encryption or removal of information that links to a user.
- Pseudonymization - is somewhere between identifiable and anonymous data. With this tactic, the data will undergo anonymization in a way that separates it and puts it back together.
With pseudonymization, a system might assign a user one identifier for location and another for a browser that links back - only if the user connects it with their date of birth (which is kept separately). The General Data Protection Regulation promotes pseudonymization over anonymization.
According to GDPR, companies need to make sure that customers have control over their data. This means that the data needs to include safeguards in order to protect their rights. At its core, the protection has a lot to do with the process and communications that are done with explicit and affirmative consent on a subject's data.
How do the regulations seek to protect consumers?
- Broad Jurisdiction. The GDPR applies to ANY company that processes the personal data of EU citizens, regardless of where the EU citizen lives.
- Better systems. In order to comply with the foundation of “privacy by design,” GDPR requires processes with data protection in mind. Which means that companies cannot treat it as an afterthought.
- A reiteration of important consumer rights. This is the data subject's right to get copies of their data and information on how companies actually use it. This grants them the right to be forgotten (Data Ensure). It also allows customers to move their data from one service provider to another.
- Specific protection for children. Since children are typically more vulnerable and less aware of risks, GDPR includes guidance on parental consent for children under the age of 16.
- Strengthened and simplified consent from data subjects. Consent will also be given in an accessible form that's easy to understand. It must include a clear written purpose for the user to sign off on. There also needs to be an easy way for the user to reverse consent if they decide to do so later.
- Mandatory breach notification. Any data breach that is likely to “result in a risk for the rights and freedoms of individuals” needs to be reported within 72 hours of its discovery. Data processors have to notify their customers “without undue delay” when they discover the data breach.
- Strong Penalties. Breaches can cost companies up to 20 million Euros or 4% of their annual global turnover. Some are less expensive but still add up to a significant penalty.
The Data Protection Officer
The GDPR requires any company that has large amounts of data to hire dedicated personnel to oversee all aspects of GDPR compliance. The Data Protection Officer (DPO) is expected to be in addition to any current IT or data security personnel. DPOs will answer to the compliance and liability for GDPR.
Will this really affect American companies? How will they enforce it?
Okay, so yes GDPR requires member states to establish supervisory authorities with the power to monitor compliance. But the situation is a little unclear when it comes to countries outside the EU. The truth is that no one really knows how the EU will enforce GDPR in the States. Unfortunately, we probably won't know until we see the first test case.
The U.S. Commerce Department-created EU-US Privacy Shield framework will specifically help companies comply with transatlantic data protection requirements. But we won’t know exactly how it will play out until a U.S. company is non-compliant of the GDPR.
Are American companies ready?
As of now, it's unclear how prepared U.S. companies really are. Not surprisingly, there's some debate about whether GDPR will cause distress or not. However, there is some evidence that in late 2017, companies began taking it seriously. A survey by security compliance firm TrustArc and the International Association of Privacy Professionals (IAPP) found that 84% of its U.S. respondents expect to comply by May 2.
However, some are trying to avoid the GDPR with preemptive strikes. In April, Facebook changed their privacy settings, stating that they will NOT extend GDPR to their new privacy settings. As a result, the MEP argues that GDPR isn't enough. The feeling is that the EU needs more legal safeguards in place - stating that it's the only way to prevent massive security breaches like the Facebook scandal.
For the most part, it's unlikely that companies will have to adapt their standard marketing processes. Such as data mining, location targeting and remarketing. However, they will have to think of new ways to handle data. But businesses that already take the threats associated with user privacy seriously are already ahead of the curve.
How can companies prepare?
Thankfully there are steps that you can take when it comes to developing a plan to stay in line with the GDPR's regulations.
- Hire a DPO (data protection officer). Since the GDPR assigns liability to data processors and controllers, it doesn't require a DPO. However, it is an investment. Especially if you are a larger corporation. The potential damage to your company's bottom line isn't really worth the risk. When it comes down to it: consumer information deserves to remain private. Anything you can do to uphold that is key.
- Educate your staff. Even though the bulk of responsibility falls on your security staff, anyone who handles information needs to understand GDPR. This includes staff that interacts with new customers and data entry personnel.
- Integrate your IT and marketing departments. Between the threat of cybercrime and the need for specific monitoring, your IT department will be your BFF. It's a good idea to invest in IT solutions that keep your company on the right side of the regulations. The best part is that your consumers will trust you more.
- Complete a thorough audit of your current data security. The best way to be compliant is to accurately assess your current data processes. This way you can identify high-risk areas and fix any problems areas before GDPR enforcement begins on May 25.
- Create tools to boost privacy. Every day there are more and more companies with pseudonymization solutions to help you stay compliant. Work with your DPO and IT department to find one that works best for you. The sooner, the better.
- Only work with providers that are GDPR-compliant. This includes your CRM services, marketing, and PR agencies. Even your email provider! It's incredibly important to make sure that ALL aspects of your data are compliant.
Legal Disclaimer: The information in this guide does not constitute legal advice. This is for informational purposes only, and we strongly encourage you to seek independent legal counsel to understand how your organization needs to comply with the GDPR.
We hope that this has given you some insight into the GDPR regulations starting May 25, 2018. If you have any questions, let us know in the comments below!