If you’ve been keeping up with information protection and privacy news, you’ve likely wondered what exactly this “GDPR thing” is all about. GDPR is short for the General Data Protection Regulation, and it’s scheduled to come into force on May 25, 2018.
The GDPR is a set of regulations that aim to strengthen and unify data protection rules for individuals within the European Union, both citizens and residents. However, the GDPR applies to all companies that do business with (and use personal data from) the EU. That includes a large proportion of enterprise companies headquartered in the US, Canada, China, Japan, and other non-EU countries. Whether you’re just hearing about the GDPR for the first time or you’re beginning to make preparations, this article will help you get started on your GDPR journey.
The GDPR has two main goals. First, the regulation will establish a single set of data protection rules across the EU. Because the GDPR is an EU regulation, it will take effect for all of the EU’s 28 member countries. Individual countries may choose to enact additional regulations building upon the GDPR, but cannot alter or remove any parts of the regulation.
Second, the intent of the GDPR is to give individuals greater control over their personal data. This includes sensitive information, of course, but also any information that can be used to identify an individual. Examples include first and last name, email address, ID numbers, physical addresses, and online identifiers such as IP addresses and cookies. The GDPR applies equally across all strata of society; there is no distinction between data collected on private citizens, employees, or public figures.
Although the GDPR is a complex regulation, the main thrust can be summarized in a few core ideals:
These two requirements are the ones that will be most obvious to EU consumers once the GDPR takes hold. First, as an organization collecting personal information, you must provide notice of the collection and explain to the consumer your purpose for doing so. In addition, you must inform consumers about their right to access their personal data and the period for which the data is retained.
Beyond providing notice, you must also obtain consent before you can begin the collection. In order to ensure that you have a lawful basis for data collection, consumers must affirmatively agree to the collection of their information, unless your company has a “legitimate interest” in doing so. Such legitimate interests may include direct marketing, web analytics, and personalization of content.
Organizations must track how and when the consent of consumers was obtained in order to create a paper trail for auditors if necessary. Conversely, consumers must be able to withdraw their consent at any time.
Even after you’ve collected an individual’s personal data, the subject of that data ultimately retains rights over its use. Data subjects can ask an organization to provide them with access to the personal data that they’ve collected and also learn what the company is doing with it.Data subjects can also ask an organization to modify any inaccurate data or delete the record entirely.
Even if they adhere to consumers’ deletion requests and withdrawals of consent, organizations cannot store personal data indefinitely. Personal data can only be retained as long as a business use case exists for storing or processing it. Once this is no longer the case, the data must be deleted or fully anonymized, stripping it of identifying details.
Data breaches will become an even greater concern for organizations under the GDPR. In the event of a breach involving personal data, companies must inform affected individuals within 72 hours. The GDPR also requires that organizations take “appropriate technical and organizational measures” to maintain data privacy and security.
In particular, the GDPR highlights “the pseudonymization and encryption of personal data” as one strategy that organizations can use to protect themselves. You may choose to encrypt data that exists in multiple parts of your IT environment, including data at rest in servers and storage, as well as data in motion in networks. Companies like Zettaset offer powerful, high-performance data encryption solutions that can play an important role in your overall GDPR strategy.
According to estimates, simply meeting the GDPR requirements will involve considerable cost. For example, PricewaterhouseCoopers’ pulse survey of executives found that 68 percent of U.S.-based companies expect to spend between $1 million and $10 million in order to fulfill the GDPR requirements. Another 9 percent of executives expect that GDPR compliance will cost them more than $10 million.
Despite the heavy costs of GDPR compliance, the price of non-compliance could be even greater. Organizations that fail to comply with the GDPR regulations can be fined up to 20 million euros or 4 percent of their annual global turnover, whichever is greater.
These penalties have the potential to be particularly harsh for massive multinational corporations. Amazon, for example, had 2016 revenue of $136 billion, which would equate to a fine of up to $5.44 billion for GDPR non-compliance.
Other major tech companies could similarly pay sky-high amounts in GPDR fines. Going by the maximum 4 percent revenue penalty, Google would have to pay up to $3.6 billion, Facebook up to $1.1 billion, and Netflix “only” up to $352 million. Meanwhile, management consulting firm Oliver Wyman predicts that the FTSE 100 companies, which are the top 100 companies on the London Stock Exchange, could face annual fines as high as £5 billion ($6.9 billion) for failure to comply with the GDPR.
Regardless of the size of your organization, the message is clear: 4 percent of annual revenue is a serious deterrent to non-compliance and a major incentive to get with the program.
The GDPR applies to all organizations, regardless of location, that control or possess EU citizens’ and residents’ personal data. Does your company market products to EU citizens or monitor their behavior? If so, proceed to the next step.
What personal data is stored in your contacts database? How do you collect personal data and how do you justify storing and processing it? What data do you have, where is it stored and accessed, and who has access to it? If you don’t have existing policies on how you handle personal data, now is the time to start.
The EU’s ODPC (Office of the Data Protection Commissioner) is charged with enforcing the GDPR. Even if you don’t think you can be fully compliant by May 25, companies that make honest efforts toward compliance will be treated differently than those that flagrantly break the law, according to the OPDC.
GDPR is not Y2K. Organizations that use inbound marketing will have an easier time with the GDPR. This is because they’ve already established opt-in consent, making compliance easier. Work on improving your processes for capturing and preserving users’ consent.
Zettaset XCrypt data encryption solutions are designed for today’s complex, demanding distributed computing architectures. Enterprise customers rely on Zettaset to deliver advanced data encryption solutions that deliver performance and scalability while easily fitting within existing enterprise IT frameworks.