You’ve likely heard the term“GDPR” and you if haven’t, I’m sure you have been required to accept what seems like hundreds of privacy policies and term updates over the past month. The GDPR regulation does affect you, so we put together a summary of what you need to know!
What is the GDPR?
The General Data Protection Regulation (GDPR) is the legal framework (piece of legislation) that sets the guidelines for the collection and processing of personal information of individuals within the European Union (EU). The new regulation must be followed by every organization that processes personal data of these European Union citizens. It officially took effect May 25th, 2018.
The European Parliament adopted the GDPR to replace an outdated data protection directive from 1995. The old directive was outdated and did not address many ways in which data is stored, collects and transferred. Therefore, the new regulation addresses these issues as well as gives individuals more power over their data and less power to the organizations that collect and use such data for monetary gain.
What type of privacy data does the GDPR protect?
- Personal Data: refers to any personal information that can be used to identify an individual such as name, address, email, social security number, credit card number, date of birth, telephone number, etc.
- Web Data: Location, IP address, Cookie data
- Other data: Health, Genetic, Sexual Orientation, Racial or Ethnic Data, Political Opinions
Which GDPR requirements will affect my company?
The GDPR requirements will force U.S. companies to change the way they process, store, and protect customers’ personal data. For example, companies will be allowed to store and process personal data only when the individual consents and for “no longer than is necessary for the purposes for which the personal data are processed.” Personal data must also be portable from one company to another, and companies must erase personal data upon request.
That last item is also known as the right to be forgotten. There are some exceptions. For example, GDPR does not supersede any legal requirement that an organization maintain certain data. This would include HIPAA health record requirements.
Several requirements will directly affect security teams. One is that companies must be able to provide a “reasonable” level of data protection and privacy to EU citizens. What the GDPR means by “reasonable” is not well defined.
What could be a challenging requirement is that companies must report data breaches to supervisory authorities and individuals affected by a breach within 72 hours of when the breach was detected. Another requirement, performing impact assessments, is intended to help mitigate the risk of breaches by identifying vulnerabilities and how to address them.
For details about each of the individual rights, please review this section of the Guide to the General Data Protection Regulation issued by the UK’s Information Commissioner’s Office.
How does it affect American Businesses?
It directly effects any company that reaches a European audience. The GDPR states that if your company collects personal data from someone in an EU country, then you are subject to the GDPR requirements. But, this only applies if the user is in the EU country when the data is collected. If they are an EU citizen, but the data is collected in another country (that is not part of the EU), then it does not apply.
However, if a company in the Unites States (or other countries for that matter) collects personal data on an EU citizen (in an EU country) as part of an email, form submission, marketing survey etc. then the data would have to protected under the guidelines of the GDPR.
What if I use a third-party email marketing platform like MailChimp, Constant Contact, Salesforce, or HubSpot?
MailChimp, Constant Contact, Hubspot and Salesforce are among the providers who have signed on to the Privacy Shield, showing their intention to follow GDPR’s rules on the transfer of data between countries. So, if you use one of these services or one of the other 2,000 companies that have signed on to Privacy Shield, they have taken some of this burden off of you. Whew!
- Which data do you need to collect?
- How will it be processed?
- What is the lawful basis for each processing action?
- How long will the data be stored?
- How can users exercise their rights?
What happens if companies doesn’t comply?
The GDPR leaves much to interpretation. It says that companies must provide a “reasonable” level of protection for personal data, for example, but does not define what constitutes “reasonable.” This gives the GDPR governing body a lot of leeway when it comes to assessing fines for data breaches and non-compliance.
However, the penalties are tough if you don’t comply. You have probably already heard about lawsuit actions filed against Google and Facebook, so they aren’t messing around. GDPR fines can be up to 4% of the annual revenue of the prior financial year or 20 million Euros, whichever is higher.
Obviously, we aren’t lawyers (the complete opposite, actually) but we always recommend the “better safe than sorry” philosophy. Each company is different, so if you have any concerns about how your company is addressing the GDPR regulation, we would recommend you talk with you in-house counsel or legal team.