The European Union’s (EU) General Data Protection Regulation (GDPR) comes into effect May 25, 2018, and enforces firm, new guidelines for privacy and data security, and strict penalties for offenders. GDPR will affect anyone who holds data on European citizens, including companies who aren’t based in Europe.
Do you know how this could impact your organization?
GDPR will equally impact all companies that work with European organizations, no matter their location. The content below frames how the regulations will affect these businesses.
1. What data does the GDPR apply to?
Practically all data related to people living in the EU will be covered by GDPR. This involves unique identifiers, such as identity files similar North American Social Insurance and Social Security numbers. It also includes details collected by websites, like IP addresses, emails, device information, home addresses, birth dates and online banking details.
The regulations also safeguard user-generated content like social media content and any images posted on the Internet. It also applies to medical files and other personal data conducted online.
2. Why is GDPR required?
Multiple countries in Europe already have national laws related to data gathering and storage, but the GDPR will more strongly protect people’s data, in a consistent method across all European countries.
This simplifies how European consumers can be more active in how their data is collected and stored by organizations. In turn, it also offers organizations just one set of regulations to follow instead of the plethora of laws currently in place across Europe. Once it comes into effect, GDPR will replace all similar data laws upheld in individual European countries.
3. How does GDPR affect companies outside of Europe?
Companies worldwide must obey the legislation regarding how the data of European residents is processed, collected and kept.
Obedience involves businesses needing to switch to an “opt-in” approach, instead of an “opt-out” approach (much like CASL compliance in Canada). So, instead of forcing individuals to bow out of their data being gathered and kept, individuals must now give businesses their consent regarding data safekeeping. This involves something as simple as signing up to receive a newsletter.
Further, with GDPR, Europeans have the authority to demand or question how their private information is accessible by algorithms, like the ones used by many search engines.
4. Should I employ a data controller or specialist?
Your business may be legally obligated to obtain a data specialist to approve obedience with GDPR if:
- Your company is classified as a public body.
- Your company is involved in significant scale, regular monitoring of personal data.
- Your company manages extreme amounts of user data
With regards to the second bullet, if the data handling your business engages daily is more than the average capacity of two normal employees, it can be reasoned that this is of “significant scale.” While there is some interpretation on that last point we take the position that a possible penalty out weighs the risk of non-compliance.
5. What about businesses that don’t comply?
Businesses that don’t comply with GDPR will face heavy consequences.
Initially, businesses will receive a written warning. Following that, violating companies will be subject to regular data audits, which means granting an auditor access to complex, private and proprietary data.
Beyond that, companies that breach or violate the GDPR may be fined upwards of $23 million or four per cent of an organization’s global turnover, whichever amount is higher.
When the GDPR goes into effect in May 2018, it will become one of the most robust consumer data protection initiatives in the world. As a result, organization should expect the regulation to be strictly enforced.
6. What is expected from companies outside of Europe?
Businesses’ data controllers will be required to guarantee that the data of Europeans is being appropriately secured or anonymized. Data controllers can be liable if gaps or harm is reported.
Data controllers are anticipated to make known any breaches (suspected or otherwise) to local authorities in 72 hours. Users affected are also required to be contacted, with the exclusion of any affected pseudonymized data that won’t fall under similar notification rules.
Companies will also have to begin storing archives of user permissions. Organizations must show that an individual gave permission for their information to be kept, and that their consent records remain correct and recent.
GDPR is set to be one of the most widespread consumer protection programs. Its implementation will likely cause some organizations more headaches than others. But, at the end of the day, it’s crucial to note that the legislation was designed safeguard an individual’s rights in an age when almost every aspect of our lives is stored through the Internet.
Is your company GDPR compliant?
If you aren’t sure, or if you have to think about it, then it’s time to take the first step to becoming compliant with the new regulations and mitigate any potential risk to your company. Backbone offers services, business processes and technologies that help companies not only prepare for GDPR but help them create a multi-step action plan to become compliant before the May 2018 deadline.
From the start, Backbone uses a practical approach to GDPR ensuring that your company has a thorough understanding of the data privacy rules and how they relate to GDPR. From there, Backbone works with your company to assess what changes will apply and what areas may present the greatest risk including what happens when there is a possible data breach, how and where to use encryption for on-premise and cloud infrastructure, as well as security requirements around validating user identities and creation of a broader security measures program. As part of Backbone’s action plan, we will also help your company design and implement guidelines for privacy-by-design to ensure that you not only become compliant but stay compliant. While GDPR does create some unique challenges, Backbone will help your company turn it into a competitive advantage and can help you market yourselves to new and existing customers.