New data privacy regulations on the horizon for those conducting business in EU
Published February 15, 2018
Have you heard of GDPR? If not, and you are doing any business outside the United States (over the web or otherwise providing goods, services or monitoring the behavior of European data subjects), you need to be. GDPR references the General Data Protection Regulation, a new European Union (EU) data protection law and framework aimed at returning control of personal data to citizens.
GDPR is the most important change in data privacy regulations of the past 20 years. It imposes strict rules on those hosting, processing and moving personal data within and outside the EU. The date that GDPR enforcement is effective is May 25, 2018, at which time those organizations not in compliance could face heavy fines of up to 4% of annual revenues or €20 million (approximately $27.6 million), depending upon the nature and the severity of the infractions.
What constitutes personal data is any information related to a natural person or “data subject” that is directly or indirectly identifiable to a particular individual. It includes names, photos, email addresses, bank accounts, posts on social networking sites, and computer IP addresses, to name only a few of the covered categories. Also, it is clear in the new regulation that GDPR applies to all companies processing personal data of any kind related to EU residents, regardless of the company’s location. The Regulation also defines key provisions that do not exist under current U.S. data and cybersecurity regulations and guides, including:
- Specific breach notifications – Notifications are required within 72 hours of first becoming aware of a breach that is likely to result in a risk to the rights and freedom of individuals.
- Right to access – Data subjects (individuals) have the right to obtain confirmation from companies housing their personal data of whether or not personal data concerning them is being processed, where and for what purposes. Companies are also responsible for providing, free of charge in electronic format, a copy of the personal data they hold (enhancing data transparency and empowerment).
- Right to be forgotten – Individuals have the right to be forgotten, meaning they can request that data controllers (companies) erase their personal data and discontinue sharing and processing any of their data (article 17 of the standard).
- Consent – Companies can no longer use long, illegible terms and conditions to obtain consents to an individual’s data. Consents must be clear and distinguishable from other matters, and provide individuals with an easy method of withdrawing consents.
- Privacy by design – Must include data protection measures in an effective way in order to protect the rights of data subjects; holding and processing only data absolutely necessary (data minimization) and limiting access to personal data.
- Data Protection Officers – Further guidance and requirements forthcoming for DPO’s as well as duties, tasks and resources.