Get prepared for the GDPR.
If you do business anywhere in the world, there is a good chance your organization processes data about individuals in the context of selling goods or services to citizens in a European Union (EU) country. And if so, then you will need to comply with the General Data Protection Regulation (GDPR). What is the GDPR? It’s a regulation intended to strengthen and unify data protection for individuals within the EU. It was approved and adopted by the EU Parliament in April 2016 and will be in force May 2018.
The data it refers to includes any information related to a person that can be used to directly or indirectly identify said person. It can be anything from:
- a name,
- a photo,
- an email address,
- bank details,
- posts on social networking websites,
- medical information,
- computer IP address.
The GDPR is being called the most important change in data privacy regulation in 20 years. It not only applies to organizations located within the EU but it will also apply to:
- Those outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects;
- All companies processing and holding the personal data of individuals residing in the European Union, regardless of the company’s location.
In the GDPR, conditions for consent have been strengthened and companies will no longer be able to use vague terms and conditions full of legalese. Consent must be:
- “Clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language;”
- As easy to withdraw consent as it is to give it;
- Explicit for processing sensitive personal data – in this context, nothing short of “opt in” will suffice.
There is a tiered approach to fines and organizations can be fined up to 4% (20 million EUR) of annual global turnover for breaching GDPR. This is the maximum fine that can be imposed for the most serious infringement, such as not having sufficient customer consent to process data or violating the core concepts. Less serious infringements have a max fine of 10 million EUR. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement. There is a provision for class action and individual prosecution depending on the breach.
In addition to fines and penalties, there is also the cost of compliance to consider. As an example, if every EU visitor to an American theme park in the last few years requested deletion of any of their data, the company that owns the park may be forced to spend a fortune to identify all the patrons and photos taken of them on systems throughout the park and delete them.
As a general trend the regulatory environment is getting more complex and prescriptive. There is a recognition that data is an asset and hence the focus on data will continue to rise. With just under six quarters from now till the regulation comes into force, time is critical and companies should start planning for GDPR now.