GDPR is short for the General Data Protection Regulation and it comes into full effect May 25, 2018. Businesses across the world that work with the personal data of any EU citizen or resident are required to comply with GDPR.
While GDPR shares many traits with its predecessor, the EU’s Data Protection Act, GDPR is hands-down the stricter, more hard-hitting younger relative that protects the use of personal data.
This article will provide a brief overview of GDPR so you can start or continue work on a data protection compliance program at your company.
The legislation, as it appears in the Official Journal of the European Union, sums up the impetus for GDPR best:
“Rapid technological developments and globalization have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities.”
It’s important to note that this article should not be used as sound legal advice. If you are looking for lawful guidance and recommendations in preparing for GDPR, consult a data protection authority.
GDPR Grants People More Control Over How Their Personal Data is Used.
In the EU, personal data protection is considered a fundamental human right, and with more and more data breaches only increasing in severity and long-term impact, the need to protect personal data is more pressing than in years past.
The EU has historically taken a more stringent approach to handling data than the U.S. has. GDPR is pushing aside the former data protection initiative, the EU Data Protection Directive, or Directive 95/46/EC, which was adopted over 20 years ago.
Personal data protection regulation has been in dire need of a transformation, and GDPR offers just that and then some.
Data protection regulations such as the ones mentioned above, and all of their predecessors, come on the heels of massive leak events.
Illegal government-run surveillance programs such as what Edward Snowden leaked about the U.S. National Security Agency (NSA) along with European government entities and large telecom companies in 2013, is feeding the need for regulations like the GDPR.
The NSA leaks are one example of why a regulation like the GDPR is so needed. Massive data breaches at discount retailer Target Corporation and consumer credit reporting agency Equifax offer even more validation.
Couple these kinds of events with the incredibly fast pace of how global data-driven companies and organizations operate, vulnerabilities are exposed, data protection and security program show their gaps, and the risks of using personal data for business purpose come to surface.
GDPR is the most recent attempt at a regulation aiming to set the pace of data protection. While the use of data has taken off rapidly across industries and sectors, the regulation and protection of personal data have comparatively not kept that same pace.
We see time and again with every data breach that protecting our personal data and the personal data of others is critical. When personal data winds up in the wrong hands, the consequences are irrefutable, expensive, and in some cases, life ruining.
It’s easy to hear GDPR and think that since it’s an EU-led regulation that businesses in the U.S. can forgo having to comply.
Yet, for any U.S. organizations — no matter the size — that conduct business with any EU market and process the personal data of anyone living in the EU, they must comply with GDPR.
Consequences of being out of compliance with GDPR are some hard and fast fines amounting to whatever calculates to be the greater sum: €20,000,000 or 4 percent of annual worldwide turnover.
Large data-driven companies such as Google and Amazon started preparing for the regulation when it was first passed in 2016. The foundation of these businesses, and ones like them, is centered around handling data. Preparing for GDPR at large scale data-driven companies requires a longer process of preparation.
However, for small businesses who don’t have a table stake in working with too much personal data and primarily handle only a small amount are also expected to take any necessary steps to be in compliance with GDPR.
GDPR compliance is not to be approached as a check-the-box, one-and-done compliance process. Rather, it is poised to be best practice moving forward when it comes to protecting personal data, required to be maintained at all times, not just when May 25, 2018, comes around.
When assessing your data protection program to prepare for GDPR, consider the following:
- Under GDPR, there are a handful of new rights that people are given. Get as familiar with them as possible to ensure you’re prepared to adhere to each right whenever they are exercised. These rights are paraphrased from the legislation later in this article.
- Every new organizational process or system implementation you may have on the horizon is expected to follow suit with GDPR. You can ensure compliance by conducting a Data Protection Impact Assessment.
- Start chipping away at developing an action plan that can be used during a data breach. GDPR requires breach notifications to be sent within 72 hours of a breach becoming known. By having a plan and a draft notification at the ready, it’s one less thing to stress over during an inherently high-stress event.
- It’s very clear from the get-go that focal point of GDPR is around accountability and transparency. Because of this, organizations need to prove they are GDPR compliant at any given time if requested by the governing authorities. Keeping a well-documented and easily accessible paper trail at times is a great fail-safe to have when the regulators come knocking.
What is Considered “Personal Data” Under the GDPR?
Think about the amount of information you enter for an everyday purchase on Amazon — credit card number, home address, email address. Not to mention the information the site itself collects using cookies such as your computer’s IP address. Everything you’ve entered is considered “personal data.”
If you then think of other instances online in which you enter information, say if you’re checking your credit score or applying for a home loan or car shopping, “personal data” is everywhere, which means, the risk of it being illegally used, is high.
Under GDPR, “personal data” officially includes:
- Your full legal name — how your name appears on your birth certificate and other vital legal documents like a social security card.
- Age, date of birth, social security number, passport number, and driver’s license number.
- Home and email addresses.
- Credit card information and banking account information.
- Any logins to websites and their passwords.
It’s easiest to think of “personal data” as any information that can be used to identify you in any way. This includes any information about your racial or ethnic origin, political opinions or party affiliation, religious beliefs, physical or mental health condition, criminal history, and even your sexual orientation and history.
GDPR does distinguish between “personal” data (anything in the bulleted list above) and “sensitive data” (anything in the above paragraph), but regardless of the distinction, GDPR protects the use of both personal and sensitive data.
Rights That Each Individual Has Under GDPR
The right to be informed
Businesses are required to inform individuals on how they are using their personal data by them sending privacy notices.
The right of access
Individuals have the right to access their personal data at any time to confirm its accuracy. Under this right, people can deny a business use of their personal data if it is indeed inaccurate in any way and have the chance to correct it.
The right to rectification
If someone finds out that their personal data is missing information, is incorrect, or not true, the person can require the business to correct it.
The right to erasure
This right is perhaps the most intriguing in the sense that it feels like you can never truly delete anything about yourself that appears on the internet. When you do “delete” an unused retail account, you can’t help but think that it could still be active, living in the digital alleyways and anyone with even a slight knowledge of computer hacking and malicious intent can find it if they really wanted to.
This right allows people to tell companies to delete their personal data completely without reason.
Subjectively speaking, GDPR allows people to go off the grid, so to speak, which seems unattainable these days despite the best of efforts to be digitally forgotten.
The right to restrict processing
If someone finds an error or anything false in their personal data, they not only have the right to make corrections but they also can tell a business that while they are making the corrections, the business is not allowed to use or process their data until it’s fully corrected.
The right to data portability
If someone wants to take their personal data from a business, not only can they have access but they have the right to reuse their data for their own intentions. The business is required to provide the person their data safely and securely and in a readable file format such as a .CSV.
The right to object
It’s likely that you’ve searched something on Google, say “fuel efficient cars” for example, read a few articles, and suddenly started to see ads for the Toyota Prius or the latest hybrid SUV.
While many of us have become immune to personalized marketing, and maybe even prefer it, opting out of this use of your data is easier under GDPR.
If a person isn’t OK with how a company uses their personal data to target them in their marketing or advertising, or any other public use of their data, they have the right to say no more and formally object.
Rights in relation to automated decision making
Making things more efficient is the name of the technology game, not to mention the explosion of automated decision making technologies. But sometimes the way personal data is automatically used to make a decision via algorithms and data mapping remove too much of the human element.
When decisions are made only using a computerized process, like with any piece of technology, errors or discrepancies can happen. While this kind of technology is a major time saver for industries like banking for example when running a person’s credit, a real live human being should be at the ready to review and confirm the decision made by the computer.
Under GDPR, if a person feels that an automated decision has “significant effects” on them, they have the right to object the decision and ensure the final say is determined by a human.