EU General Data Protection Regulation (GDPR)
Through the power of information technology, any enterprise that sells products or provides services via the internet is technically a global business. Regardless of whether your organization is a one-person operation selling novelty T-shirts or a Fortune 100 company providing sophisticated cloud computing solutions, you are likely to have customers residing outside your country of origin. In general, this is considered a good thing. – GDPR
However, with that global reach comes certain responsibilities, some of which are codified in laws and regulations with specific, and potentially costly, consequences. For example, the European Union (EU) enforces a new set of regulations designed to protect the data security and the privacy of its residents. The General Data Protection Regulation (GDPR) is applicable to everyone residing in the EU and any business entity that transacts with them, regardless of the location of the business.
Put simply, if you have a customer living in an EU country and you collect any data from that customer as a result of a business transaction, you are subject to the rules and regulations of the GDPR. There are no exceptions for enterprise size or scope, which means any business with an internet presence is potentially subject to this law. This guide explains what the GDPR is and how its provisions impact enterprises and their IT infrastructure.
What is the GDPR?
The EU GDPR replaces the Data Protection Directive 95/46/EC. It codifies and unifies the data privacy laws across all the EU member countries. It’s applicable to any company doing business with a resident of the EU. Specifically, the extended jurisdiction of the GDPR states clearly that it applies to all companies processing the personal data of subjects residing in the EU, regardless of the company’s location.
The provisions of the GDPR for keeping the personal data of customers secure and regarding the legal collection and use of that data by businesses is straightforward and basic common sense, but the penalties laid out for violations are significant. Enterprises found to be in violation of the provisions of the GDPR can be fined up to 4% of annual global turnover or 20 million euros, whichever is greater.
Why does the GDPR matter?
Any enterprise that collects data from customers is potentially subject to the provisions of the GDPR and therefore is also subject to the penalties associated with noncompliance. The penalties for noncompliance can be steep, so every enterprise should know and incorporate strict compliance with the GDPR into their business practices and procedures.
What are the key provisions of the GDPR?
The GDPR defines personal data as any information related to a natural person (data subject) that can be used to directly or indirectly identify that person. It can include anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, and even a computer IP address.
Under such a broad definition, enterprises must take documented steps to limit access to all personal data to authorized and credentialed employees with job roles that specifically require access to that data. Security breaches from lack enforcement of security protocols will be met with stiff fines and financial penalties under the GDPR.
The GDPR also establishes specific rights with regard to data subjects. To comply with the GDPR, these codified rights must be acknowledged and implemented by all companies collecting personal data on EU residents.
The GDPR specifically prohibits the use of long, convoluted terms and condition statements, particularly statements that contain legalese. Any request for consent, declaration of terms, or statement of privacy must be presented clearly and concisely, and without any ambiguity of meaning. Furthermore, it must be as easy to withdraw consent as it is to give it.
Compliance with the GDPR requires companies to notify all data subjects that a security breach has occurred within 72 hours of first discovering it. The method of this notification will include as many forms as deemed necessary to disseminate the information in a timely manner, including email, telephone message, and public announcement.
Right to access
The GDPR requires companies to provide, at the data subject’s request, confirmation as to whether personal data pertaining to them is being processed, where it is being processed, and for what purpose. Companies must also be able to provide, free of charge, a copy of the personal data being processed in an electronic format.
Right to be forgotten
Under the GDPR, companies will erase all personal data when asked to do so by the data subject. At that point, the company will cease further dissemination of the data and halt all processing. Valid conditions for erasure include situations where the data is no longer relevant, the original purpose has been satisfied, or when a data subject withdraws consent.
The GDPR requires companies to provide mechanisms for a data subject to receive any previously provided personal data in a commonly used and machine-readable format. Under this provision, the data subject also has the right to request that the company transmit the data to another processor free of charge.
Privacy by design
Compliant companies must follow privacy by design principles and implement appropriate technical and organizational measures in an effective way to meet the requirements of the GDPR and protect the rights of data subjects. In practical terms, this provision means that companies will process only the data absolutely necessary for the completion of its business and limit access to personal data to only those employees needing the information to complete the process consented to by the data subject.
Data protection officers
Large enterprises wishing to comply with the GDPR will maintain thorough and comprehensive records pertaining to the collection, processing, and storage of personal data. In addition, they will designate a data protection officer (DPO) to oversee the application of the GDPR and to protect personal data from misuse and unauthorized access and other security breaches. If an enterprise meets the criteria, a designated DPO is a requirement, not an option.
Unfortunately for enterprises the world over, the specific criteria for when an enterprise is required to designate a DPO is still in flux. A general rule of thumb to follow, based on the EU Commission’s writings on the topic, is that a DPO is required for any enterprise with more than 250 employees or for any enterprise processing the personal data of more than 5,000 data subjects in any 12-month period.
Penalties for noncompliance with the GDPR
Penalties for failing to comply with the provisions of the GDPR can be severe and carry a significant risk of liability for any company. The maximum assessable penalty for noncompliance with the GDPR is 4% of the annual global revenue generated by the company. The maximum penalty will be imposed on organizations failing to acquire sufficient customer consent to process data or for violating privacy by design concept.
Other violations are assessed on a tiered basis depending on the infraction. For example, a company can be fined 2% for not having its records in order, not notifying the supervising authority and the data subject about a security breach in a timely manner, or for not conducting a required impact assessment of a security breach.
With the internet and cloud computing playing such an integral role in information technology infrastructure, business has become a global operation. Collecting data on customers creates an obligation to keep that data safe—an obligation that is often codified by laws and regulations. Noncompliance with these laws is not really an acceptable option, and in fact, it could prove extremely costly. Contact Musato Technologies to learn more about our innovative and custom ICT services and solutions.
By Mark Kaelin