On May 25, 2018 the General Data Protection Regulation (GDPR) replaced the decades-old Data Protection Directive currently in place in the European Union (EU).
This is a big change and people have questions.
Well, we have answers. This guide covers everything you need to know about the GDPR without the confusing IT jargon.
What is the GDPR? What's the Goal?
This GDPR will take the control of personal data out of company hands and back into the hands of its owner.
Looking for a Data Theft Prevention Checklist?
It only takes one data breach to put a company at risk for lawsuits, fines and reputation damage. Use this checklist to ensure your company’s valuable information is protected.
New requirements will help companies understand data privacy laws and will protect EU citizens from breaches.
How Do I Know If My Company Must Comply?
The GDPR outlines its scope very clearly to leave little room for mistakes. The rules apply if the company:
- is located outside of the EU but processes the personal data of EU residents
- is located outside of the EU but collects the personal data of EU residents
- resides in the EU and processes or collects the personal data of EU residents
This Ovum report claims that two-thirds of businesses will have to rethink their strategy in Europe.
What Qualifies as "Personal Data"?
The new regulation takes a broad view, defining personal data as any public, private or professional information about an individual and all of which requires the same level of protection.
This includes, but is not limited to: name, home address, photos, bank details, email address, social media posts, medical information, IP address and RFID tags.
Eight Key Changes of the GDPR
The pressure is on for companies to meet numerous new compliance standards.
And failing to comply can cost you. In fact, penalties can now reach £20M (this is new under the GDPR).
Don't let a fine be your company's ruin.
Read on for the key takeaways of the GDPR and the changes you need to make for the safety of your company, staff and users:
1. Greater Authority and Applicability
The GDPR covers a broader jurisdiction than the previous directive.
As briefly stated above, the new rules apply to all companies that process or control the personal data of individuals in the EU.
Even companies not specifically located in the EU must comply.
2. Explicit Consent and Easier Withdrawal
The GDPR strengthens the conditions for user consent.
Companies must request consent from users in an easy to understand way by using clear and plain language and the consent must be given explicitly.
Plus, it must be just as easy for a user to withdraw their consent as it was to give it.
3. The Right to Erasure
The previous directive had the “right to be forgotten”.
Building off of that, the right to erasure under the GDPR means that subjects have the ability to ask that their previously-collected or processed data be deleted.
If the subject withdraws their consent or the data is no longer required for its original purposes, they can ask that the data be erased permanently, and the company must comply.
4. The Right to Access
The right to access personal data encourages transparency between companies and data subjects.
A company must provide an inquiring individual with information regarding:
- What data of theirs is being processed
- How this data was acquired
- Where the data is being processed
- With whom the data is being shared
5. The Right to Data Portability
The right to data portability is another attempt at empowering the data subject.
With this, individuals have the right to transfer their personal data from one company to another without trouble.
One exception is data that’s sufficiently anonymized.
6. Privacy By Design and By Default
The GDPR calls for “privacy by design”.
The new regulation promotes data protection as something that’s prioritized from the start, as a default, rather than an afterthought.
For example, companies must minimize the amount of data in their possession by processing only what’s necessary to complete the task at hand.
And, after said task is complete, the company should destroy or anonymize any data that’s no longer needed.
7. More Stringent Breach Notifications
Data breach notification rules are more stringent under the GDPR.
Breaches must be reported to the Supervisory Authority of the affected states within 72 hours of discovery.
In certain situations, victim companies may be required to notify those whose data is affected by the breach.
8. Heightened Penalties
Penalties are greater under the GDPR. Companies found not in compliance may be fined up to 4% of their annual revenue (or £20M, whichever is greater).
This could be detrimental to a company’s success. Oliver Wyman predicts that the EU could collect as much as £5 billion in fines in the first year.
It will be a challenge for companies to revamp old systems or implement entirely new ones to meet new standards.
For more details, the entire GDPR is available here.