The GDPR (General Data Protection Regulation) was formally adopted in April 2016, and goes into effect on May 25, 2018. Some tech leaders are calling it “the next Y2K” for the dramatic impact that it will have on IT systems around the world. Unlike the Y2K bug, companies that don’t comply are likely to face serious fines and penalties.
As we enter the final countdown with one month to go, this GDPR summary will discuss what you need to know before and after the legislation takes effect. Ready to have the GDPR explained? Let’s get started.
Data is the currency of the 21st century, and companies are constantly seeking to know more about their customers. For example, technology giants such as Google, Facebook, Amazon and Apple collect large amounts of personal data about the individuals who use their products and services. This includes demographic information, location data, social interactions, interests and likes.
Of course, all individuals must willingly consent to data collection by reading and signing a terms of service document. However, once they provide access to this information, people have little to no control or clear understanding of how these companies use it, store it, or share it with third parties.
The primary goal of the GDPR is to restore control of personal data back to the consumer, and provide personal data privacy and protection as a basic right. The GDPR aims to minimize the risk that individuals face through privacy violations and misuse of their personal data.
The GDPR applies to any organization that handles the personal data of EU citizens and residents. This means that in addition to companies based in the EU, organizations based anywhere in the world outside of the EU (including the US) must comply with the GDPR in order to conduct business with EU individuals.
The GDPR outlines many different requirements for companies affected by its regulations. These obligations fall under one of three primary concerns: obtaining data, retaining data, and releasing data.
The moment personal data is collected, you must clearly explain to the individual how you plan to use it. This includes your purpose for acquiring the data, the right to access it, and the period for which the data will be retained.
In most cases, individuals must provide their affirmative consent before you can begin the collection process. You then need to keep track of how you obtained this consent in the event of a regulatory audit, as well as provide the option for users to withdraw their consent at any time.
In certain cases, you may not need to obtain consent if you can demonstrate that your organization has a “legitimate interest” in collecting personal data. The GDPR explicitly defines several examples of a legitimate interest, such as fraud prevention and direct marketing.
Once personal data is in your hands, the GDPR requires you to take adequate measures to protect it. For one, companies that meet certain criteria will need to hire a data protection officer (DPO). Zettaset has put together a comprehensive, useful guide to DPO requirements under the GDPR.
Although there are no explicit requirements for encryption, it should still be part of any company’s GDPR checklist. This is because the GDPR provides a broad directive to enforce security measures and safeguards. In particular, the GDPR repeatedly highlights encryption as an “appropriate technical and organizational measure” of data security.
- “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data” — Article 32
- “In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected.” — Recital 83
Finally, organizations cannot hold on to personal data indefinitely. You can only store personal data as long as there remains an appropriate business use case for it. Once that lapses, you must delete or anonymize the data.
Since 2014, the EU has given individuals the “right to be forgotten” by requesting that search engines and other internet services remove their information. In order to provide this right, you must establish processes around erasing data. Educate your team members about the roles they will play, find all applicable information that needs to be deleted, and keep the data that you must legally preserve.
The GDPR also guarantees the right to “data portability,” with which users can efficiently move their information between organizations. This will require you to use a machine-readable format such as a CSV file that can be read by external parties if the data subject requests it.
In the event of an “unintentional release” (for example, a data breach) you must notify the affected individuals within 72 hours. You’re off the hook, however, if you encrypt your data. Encryption ensures that the decrypted information remains unintelligible to the attacker.
- “The communication [and announcement of a data breach] shall not be required if any of the following conditions are met: the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption.” — Article 34
The cost of noncompliance is severe. Fines can reach as high as 4 percent of your global annual revenue or 20 million euros (roughly 25 million USD), whichever is greater. However, the biggest cost may be reputational. Partners and vendors will be less likely to do business with noncompliant organizations, and individuals will come to expect a higher level of data security.
Finished with this General Data Protection Regulation summary and want to learn more? Check out Zettaset’s in-depth GDPR summary for explanations of the various GDPR principles. You can also learn how Zettaset’s encryption software can make it easier to get started with GDPR compliance.