Security and data protection have always been a top priority for businesses. But with the European Union’s General Data Protection Regulation (GDPR) taking effect May 25, 2018, what does this mean? Especially because of the increased numbers of cybersecurity threats—from ransomware to denial-of-service attacks to the continued threat of phishing scams—data protection has become serious business.
The primary objective of GDPR is to improve data security practices, and those who breach the regulation will face consequences. Even if you are not physically located in Europe, you may be required to abide by these regulations.
What is GDPR?
GDPR was passed by the European Parliament to update the Data Protection Directive (DPD). Under this new law, anyone who touches the data of EU citizens must follow the regulation. GDPR does not apply only to companies located in the EU. It applies to any company that deals with personal data of any individual located in the EU. For example, this means that companies that are physically located in North America, Brazil, Japan, etc., with customers in the EU are subject to this regulation in the way they treat those customers’ data. So if you use EU citizens’ data in any way, you could potentially face hefty fines in the event of non-compliance.
The DPD was passed in 1995. Technology and security threats have vastly changed since then, especially over the past 2 years. The new law modernizes the rules around data protection, helping EU citizens retain greater privacy and control.
Additionally, this law is a regulation rather than a directive. A regulation requires that all entities or organizations in the EU adhere to standards set by the central European Union authorities, while a directive leaves it up to EU member states to implement their own laws that achieve the aim of the larger law. By making this a regulation, the EU has an opportunity to standardize the data laws and reduce confusion surrounding data governance.
Types of Data to Protect
Information collected about an EU citizen must protected under GDPR.
Just a few examples include:
- Personal information: names, birthdates, physical address
- Digital identifiers: email address, IP address, MAC address, passwords
- Financial information: bank routing & account numbers, credit card details, ATM Pins, tax information
- Location information: GPS or social media check-ins
- Legal records
- Government records
- Medical records: doctor visits, medication lists, medical histories
Data Permission Rules
The DPD required that an organization obtain permission from data subjects from whom they could collect or use their personal data. But GDPR goes a few steps further.
In most cases, data subjects must give consent to data collection and processing by taking an explicit action. In these cases, users must explicitly opt in, and you cannot assume you have permission. For example, if you were collecting marketing data on a new lead for your business, your form must still ask for their consent to use their data, but the user must actively check a checkbox to opt in. In other words, you can’t have a pre-checked box that says, “I agree to allow ABC Company to use my data for marketing purposes,” as a user may simply gloss over the box and be unaware that they gave consent. Key rule of thumb in these cases—make everything opt-in, not opt-out.
Additionally, you must fully inform the data subject on how you will use their information. And here’s the kicker—you must use plain language that is easy for the data subject to understand. Under GDPR, you must avoid complex legalese in any contract or on any form where you seek a user’s consent. Make your language so simple that anyone, regardless of education levels, can easily understand what you’re asking.
Data Subject Rights
GDPR expands the rights of data subjects when it comes to how their data is used. Gaining explicit consent to use someone’s data is only part of the game—EU citizens still have a say over their data after they’ve given permission.
Let’s take a closer look at three important rights:
- Access: The user can, at any time, request full access to their data and also request any corrections for inaccurate information (also known as the Right to Rectification).
- Data Portability: The user must be able to receive their information in an easily accessible “machine-readable” format.
- Erasure: The user can request that their data be deleted.
Data Protection Officer
GDPR requires that some organizations appoint a data protection officer (DPO). A DPO’s primary role is to ensure an organization complies with GPDR rules, including overseeing employee security training programs. They also must interface between the organization and any supervisory authorities.
While some organizations don’t have to appoint a DPO, any organization processing a large amount of data on users should consider appointing one. Additionally, organizations that are public authorities or work with processing criminal data must appoint a DPO. Please check with legal counsel to understand whether your organization needs to appoint a DPO.
(This post is provided for informational purposes only and should not be relied upon as legal advice or to determine how the EU General Data Protection Regulation (GDPR) may apply to you and your organization. We encourage you to work with a legally qualified professional to discuss GDPR, how it applies to your organization, and how best to ensure compliance.)