Users log into favorite sites to find pop-ups urging them to review terms and conditions. There are even memes floating around making fun of the phenomenon. For enterprise, however, this is no laughing matter. The General Data Protection Regulation (GDPR) is now live, and companies need to take steps to protect themselves.
This legal framework for managing and protecting consumer data in the European Union went into full effect at the end of May. Companies- even those based outside the EU – who violate the GDPR are subject to steep revenue-based fines. That raises some critical questions for enterprise. What is the GDPR? Who is bound by it? More importantly, how can businesses protect themselves from costly penalties?
Note: This article is meant to be an overview, not legal guidance. A business attorney is the best person to offer specific advice on how the GDPR affects your company.
The GDPR was created in response to the rising threats to consumer safety posed by Big Data and evolving IoT technology. It defines data privacy as a fundamental right and puts protections in place for the personal data of European Union residents. That includes things like names, addresses, phone numbers, email addresses, photos, identification numbers, IP addresses, human resource records, and biometric data.
Essentially, the GDPR provides more consumer control over data for EU residents. It applies to people and activity within the EU’s sphere of legal influence, specifically:
- Residents of the EU
- Businesses and other organizations based in the EU
- Entities operating in the EU
- Entities who collect or process data in the EU or data otherwise covered under the GDPR
- Monitoring of behavior within EU
There are two categories of entities that are bound by the GDPR. Controllers own and maintain data while processors analyze or process data on the controller’s behalf. Both of these groups are responsible for protecting consumer data, removing the excuse that a company wasn’t responsible for a processor’s actions.
Although this is an EU regulation it has global repercussions. Any company that doesn’t want to implement location-based blocks on data collection from their website or cut off operations in the EU must ensure that data is being protected. The penalties for breaches are potentially high, too. Many international companies are finding it more practical to implement compliance procedures in general to prevent accidental mishandling of EU-related data.
What Changes for Enterprise
GDPR guidelines are simple but wide-reaching, all aimed at putting improving individual data control and peace of mind.
Here’s what changes:
The GDPR affects both any handling data of EU residents anywhere in the world and anyone within EU processing any data. The applicability of data protection laws used to be ambiguous; companies could simply process data outside EU to avoid legal protections.
Consumer control and consent
Individuals have much more control over what happens with their data. They must be told specifically whatis being collected, why it’s being collected, how it’s being used, and what protective measures are in place. There are also exceptions for legal allowances like public safety, a controller’s legal obligations, and the legal data interests of another person. Controllers can’t refuse service for denial of data usage unless data is necessary to provide the service. This set of rights comes with specific additional rights:
- Access to Data: Consumers can access their data as well as what it’s being used for on request.
- Data portability: Controllers must provide a data subject with their data in a commonly used format and transfer that data to another controller on data subject’s request.
- Right to be forgotten (RTBF): Consumers can have their data erased on request both by controller and by any entity who was given the data.
Security by design and default
Controllers must make secure settings the default in all scenarios and take active steps to ensure data security.
Breaches must be disclosed if they could result in any risk to the rights and freedoms of data subjects, including the right to data privacy. Public disclosure must happen with 72 hours of the organization becoming aware of the situation. Processors have an additional duty to inform controllers of breaches on their end without “undue delay” to expedite public disclosure.
Data Protection Officers
This is one of the least understood parts of the GDPR, but it doesn’t need to be complicated. Organizations only need a specific data protection officerin select cases, specifically:
- When a public authority is processing personal data (except courts conducting official judicial business)
- When there is regular, systematic monitoring of individuals on a large scale
- When monitoring certain categories of data including biometric data, data about religious or political beliefs, trade associations, health information, and criminal or legal backgrounds; additionally, this data can only be processed in specific circumstances (ie, with explicit consent of data subject, when legally required)
If an organization does need a designated DPO, there are rules meant to avoid collusion and improve the quality of oversight. The DPO can be a contractor or internal employee so long as their contact information is made available to the relevant Data Protection Authority.
They must be trained on GDPR requirements and data protection best practices. There can’t be any conflicts of interest with other duties or associations. Finally, they have to have complete executive support in terms of training and resources with the ability to report to the highest level of management.
There are standard enforceable fines for violations of the GDPR. Fines are based on different factors (like how much damage was caused, how the issue was discovered, and what the Controller is doing to fix the situation). The basic types of fines call into different categories:
- Accidents and oversights are punishable by up to the greaterof €10 million or 2% of the organization’s global annual turnover.
- Carelessness or deliberate violations can cost up to the greaterof €20 million or 4% of global annual turnover.
Protecting Your Company
Here’s a quick checklist of steps that will help companies ensure GDPR compliance and avoid imposing fines.
- Assess whether the GDPR could potentially apply, keeping in mind that online ordering systems that collect EU data are included.
- Make GDPR compliance an executive priority. Incorporate the GDPR into onboarding and refresher training.
- Determine whether a DPO is needed and, if so, make sure they have an unobstructed direct line to company leadership.
- Identify all types of individual data collected by the company and how it’s used.
- Minimize personally identifiable data used in general. Good analytics can be done with anonymized or pseudonymized data, so prioritize that.
- Update privacy policies to spell out data usage, individual rights, and the mechanism for obtaining or deleting individual data records.
- Review and improve data security measures to include breach handling policies.
- Recommit to good data management policies(update software, soft target minimization, and so on).
- Be vigilant for second-hand vulnerabilities like data transfers to non-compliant entities.
Compliance with the GDPR may seem like a hassle, but it’s significantly less expensive than paying for a violation. Plus, having these standards in place benefits companies in the long run by improving public trust and preventing costly breaches.
Deciding whether the GDPR will apply to your enterprise means figuring out where your data comes from and how it’s being protected. Concepta can help. Set up a free consultation with our knowledgeable staff to review your data intelligence process and protect your business from accidental GDPR violations.