If there is one thing the last couple years have made clear, it is the lack of respect towards personal data privacy. From companies with inadequate security controls leading to improper management of sensitive information to businesses making a profit by selling clients’ information and even government agencies that like to play big brother. At the end of the day, it has become somewhat naïve to expect real protection for personal data. What is the alternative, should we just regard privacy and protection as a luxury that is no longer available? Perhaps not, especially if you are an EU citizen. This bit of good news comes in the form of a replacement to the European Union (EU) Safe Harbor Directive and, after its two-year transition period, the General Data Protection Regulation (GDPR) will be directly applicable to every EU Member States, even where there is no national legislation.
The GDPR (Regulation (EU) 2016/679) is a rule put in place by the European Parliament, the European Council and the European Commission with a simple scope: to strengthen and unify data protection for all individuals within the European Union (EU). It also includes the protection of personal information exported outside the EU. In other words, what the GDPR intends to do is give back citizens and residents of the EU control over their personal data and simplify the regulatory environment for international business by creating a centralized regulation for all members of the European Union.
The regulation was enacted on 27 April 2016, a much-needed replacement for the data protection directive 95/46/EC, from 1995. As expected, most companies that process or control records of personal data will have to adapt to this new reality. If that applies to you, don’t worry, you still have two years, as the GDPR will only apply after 25 May 2018.
How will the GDPR affect your business?
Well, it is quite simple: Assuming you are operating within one of the 28 EU member states, it does not make a difference whether your company collects, stores, processes EU citizens’ personal data, even if it is outside of EU territory. Once the GDPR takes effect, residents will gain quite a few rights concerning their personal information. On the other hand, your company will be limited on how to use and access that information.
Here are a few points your organization should consider regarding the GDPR:
1. One GDPR to rule them all
It is as simple as that, if your company collects, stores or processes personal information from EU citizens, the GDPR is applicable. Many are regarding the GDPR as the “first global data protection law”. There is going to be a lot of legal complications soon, but as far as the regulation goes, it does not matter where your business is located, if handling EU citizens’ information is a part of your strategy, you are in its scope.
2. Making a clear decision on what personal data is
The definition of what personal information is can already be quite comprehensive. The GDPR intends to broaden it. To summarize it, under the GDPR , any piece of information that can be used to identify an individual is considered personal data. This definition is as far-reached as to include general internet-related information, such as data from tracking and storing an individual’s IP address, to genetic, psychological, ethnic, financial or social information. Companies will have to make sure they explicitly define all sort of personal information that is collected, processed or stored.
3. Consenting to use personal information
It is always nice to know what your personal data is being used for. With the GDPR, companies will have to provide proof of consent for using personal information. This may not be as simple as enforcing a “terms and conditions” and having the user blindly agree. Organization’s will have to be quite clear and explain what personal data they are collecting and what they are doing with it. Valid consent will become mandatory and any personal data processing activities that function without it may be shut down by the authorities.
4. Data Protection Officer (DPO) obligatory for some organizations
As far as titles go, the DPO sounds good. For public authorities that process personal information, it will become mandatory to appoint a DPO. But it does not stop there. If an entities core activity requires the regular and systematic monitoring of data subjects on a large scale or consists of processing on a massive scale of individual categories of data, they also must have a DPO. What does this mean? Almost 30,000 new DPOs in Europe alone within the next two years, according to the International Association of Privacy Professionals (IAPP).
5. Reporting on Data Breaches
If not obligated to, either through contract, or regulation, companies tend to keep quiet regarding data breaches, after all, it does not matter if you have good information security management and proper controls. Somehow, something went wrong, and bad press is all you get. Under the GDPRthis no longer is an option. Organization’s will have only a 72-hour time frame to report a data breach to the local data protection authority after discovering it. In practice, this will mean more monitoring technology, sound processes and the necessary staff with adequate training.
6. The right to ensure erasure
Sometimes all you want is to be forgotten. People who have made a silly comment on a social network understand, and so does the GDPR. As an EU citizen, you have limited right to the erasure of personal data related to you in various situations, including cases where the legitimate interests of whoever collected, stored or processed your data are overridden by your interests or fundamental rights and freedoms.
7. Privacy by Design and by DefaultFrom a security point of view, this is one of the most important aspects of the GDPR.
From a security point of view, this is one of the most important aspects of the GDPR. Organization’s will have to provide evidence that they are always working with data protection principles and incorporating “data protection by design” into their business routines with data protection considered in the early stages of the development of products and services. This ensures that privacy settings must be set at a high level by default.
Ultimately, the General Data Protection Regulation is a significant step towards personal right protection. Only time will tell if it will effectively be a “global data protection law”. It may be a challenge for companies under its scope, but the benefits for the users are far too high not to consider it as a great initiative and hope for its success.