Unless you have been living under a rock in a remote and off-grid place, you have probably been bombarded with news about the new GDPR policy that has taken effect as of May 25th, 2018. It is literally in your face with almost every other website you visit popping a message up stating the fact that they want your consent regarding how they can utilize your personal data.
What is GDPR?
The General Data Protection Regulation (GDPR), also known as Regulation (EU) 2016/679, is a new regulation that will allow the European Commission to strengthen and unify the protection of individuals’ data that is collected within the European Union.
Accordingly, the regulation lays down the rules regarding:
- The protection of the individual when it comes to the processing of their personal data
- The free movement of said personal data
- The protection of the fundamental rights and freedoms of individuals with an emphasis being made on their right to the protection of their personal data
- The fact that the free movement of personal data within the European Union will be neither restricted nor prohibited for reasons related to the protection of individuals’ when it comes to the processing of their data
Ok, but what exactly are the stipulations?
Well, right about now you might be wondering what exactly it is that is stipulated in the new data regulations. Let’s have a look:
- Privacy by Design (PbD): The European Union has always been a stickler when it comes to the collection of data on its citizens. And even now, the new regulations further detail, in an even more explicit format, the minimization of the data that can be collected and kept. There is also more emphasis on its retention and gaining prior consent from consumers before their data can be processed.
- Data Protection Impact Assessments (DPIA): In this new stipulation companies will have to first do some risk analysis before they can process certain types of data that could put the subjects at risk.
- The right to deletion and being forgotten: Although there has always been a requirement that allows consumers to ask for their data to be deleted, the GDPR now further extends it. In the new stipulation, the subjects can now ask for data already published on the Internet to also be deleted and have their information “forgotten.”
- Extraterritoriality: This is probably the stipulation that will be of real interest to you. According to the GDPR, the rules will apply to all businesses that collect data on EU citizens – even if they are not physically located in the Union’s territories. In other words, foreign companies and even those that exist in the cloud or use websites to reach the citizens will also be affected.
- Breach notification: A new stipulation in the GDPR, this requirement states that businesses will have to notify data authorities – within 72 hours – should they discover that there has been a data breach. Also, the subjects will need to be personally notified should the leaked data pose a high risk to their rights and freedoms.
- Fines: As if to show that they really mean business, the GDPR sets out a penalty scheme that could really hurt business’ pockets – no matter how deep they may be. Examples include:
- Serious infringements, like violation of basic principles related to data security, could see a business pay a fine of up to 4 percent of its global profits
- A business that doesn’t have its records in order, or decides it didn’t need to notify overseeing authorities about a breach, could also see a substantial percentage of its global profits go towards fines
As you can probably see, the new regulations seem to mention the protection of data that is connected to people who have their data accessed within the European Union. It is quite obvious that your next question is going to be…
So, what does this have to do with my business?
In the second point mentioned above, it has been noted that the EC isn’t going to take any nonsense from offshore companies – even if they are on mainland USA, but do business with clients in the Union. Even if you are an American citizen and have a business model that exists entirely in the cloud, you will still be liable to the rules and could face the hefty fines stipulated above should you be found in breach.
And, what do I need to do to comply?
According to the stipulation, if you want to continue dealing with your EU consumers, there are certain steps you will need to take in order to comply with the GDPR. They include:
- Figuring out a way on how you will report breaches before the set time limit
- Providing your existing and future customers a way they can have their data deleted and then be “forgotten”
- Find out how you are you going to conduct PIAs on the data you already have and that you will capture in the future
It is of great importance that you put these measures in place today if you have any dealings, or plans thereof, with EU consumers or customers. Otherwise, it could prove to be a costly mistake that might bring your business to its knees.