Just a few weeks from now, this coming May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) protocol becomes instantiated into law. It is a mandate that will cover multiple areas in the business sphere; including cybersecurity, technology, human resources, and marketing. As such, you should make it a priority to ensure that your enterprise is ready to acclimate itself to every single one of the new 99 rules that are geared to protecting the data of citizens in the EU.
The following is a short list of some of the most important new structures in the GDPR:
- There will be penalties for regulatory noncompliance of up to 4% of the particular company’s global annual revenues, or €20 million.
- All business operations must have privacy protections embedded in the processes. Data collection processes will face new restrictions – especially as pertains to sub adults/minors.
- There will be ironclad timelines for the reporting of data breaches, as well as the steps that a company should take to address them.
- An overhaul of the entire process of processing, sharing, and storing citizen data.
- Enable the mechanism by which EU citizens can completely erase their personal data, as well as determine how it can be used.
Is GDPR Actually Necessary?
In a world where your local data can become global at the touch of a button, the European Commission’s GDPR is touted as essential to the protection of said data. Recent breaches in cybersecurity of large multinational conglomerates is shown that the consequences of data and identity theft can be devastating. In particular, GDPR is intended to harmonize the framework within which EU companies, individuals, and enterprises can conduct mutually beneficial business.
The Scope of GDPR
The most common question that arises is whether or not the new EU regulatory mandate applies to their business. Even if you are not located inside the European Union, if you conduct business, process information, stores or collects it of any EU citizen, then the answer is yes – GDPR applies to you. There are generally two kinds of information between which GDPR distinguishes:
- Anonymized Data: if you mostly deal with this kind of data, then you don’t have to change much of anything – GDPR is intended to cover data that can be used to breach people’s privacy; since anonymous data is encrypted and cannot be identified, you needn’t worry about noncompliance or security breaches.
- Personalized Data: this is, of course, precisely what the EU guidelines intend to cover. It includes cyber protections that extend to your date of birth, home address, email address, any numbers that can identify you, your phone number, your name and others. These are the basics of personal information; the new EU mandate extends this to protection over biometric, health, genetic, gender, religious beliefs, race, sexual orientation, union membership and political affiliation.
Presiding Over Your Personal Data
The manner in which you go about procuring customer data in alignment with the EU’s GDPR regulatory mandate begins from the moment you acquired the name. Once you have this, you must outline the matter in which you use the information, and for what reason. Only after this can they grant consent to allow you to collect process and store the information.
Additionally, any and all of your prior written communication should have a privacy notice in attendance. The information there should be concise and simple to understand; make sure to look at some examples of certified privacy notices to gauge the level of clarity required. Furthermore, if there are new developments in the manner in which you wish to process or store citizen data, then you must obtain further consent from the persons involved – they have the right to rescind their previous acquiescence as well as reducing the request.
The above is where the data portability aspects of the GDPR comes into play. Upon request, the respective persons can have all of the data returned to them or have your business you raise it completely with haste. As such, you must implement a viable data tracking system so as to allow you to enact the “rights to be forgotten” clause that is embedded in the new regulatory provisions.
Lastly, your company will need to have a Data Protection Officer that is in charge of compliance. This is effectively a data controller who can locate the personal data of any EU citizens in your systems.
Data Protection on Your End
Since privacy is paramount to the structures of the GDPR, the financial penalties imposed on noncompliance in the event of a breach are considerable. As such, it is imperative that you embed EU citizen data privacy design and security into the operational processes of your infrastructure. The best way to do this – or, at least, the most expedient, is to automate it. For example, if there is a breach and your data is cyber-hacked; if the Personal Identifiable Information (PII) value for EU citizen data that is encrypted, then you should be safe since it is anonymous and cannot be used by the hacker.
If, on the other hand, you employ third-party contractors to secure, store and process data, then compliance rests on your shoulders. If there are any breaches, then you’re responsible for notifying authorities and the affected persons within 72 hours. If this is done correctly and you can show that you securely encrypted the breached data, there’s a good chance you will escape any potential fines.
Given the continuing growth of the EU economy, it is in your best bet to remain on the good side of the GDPR. This means putting in the required effort, resources, and time to ensure compliance and conduct business with EU citizens in a fair and safe environment.
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.