If you do any business that could gather information from citizens of the European Union, you must make sure that your organization is in compliance or face hefty fines.
What is the GDPR?
The General Data Protection Regulation serves to protect several types of personal data including name, address, identification numbers, location and IP addresses, cookie data, and personal information (racial and ethnic data, health and genetic data, biometrics, political affiliations, gender and identity, etc.).
Personal and Sensitive Data
The European Union defines personal data as “any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.” The GDPR protects personal data of all residents of the European Union regardless of the technology used to process that data. Regardless of how data is gathered, stored, or processed, it is protected by the GDPR.
Who Must Comply?
The GDPR applies to all members of the European Union, as well as any company outside of the EU that markets goods or services to EU citizens. As a result, the GDPR affects global data protection requirements. Most companies that do international business must be compliant with GDPR because of this.
How This Affects You and Your Business
The GDPR mandates that equal liability is applied to data controllers (the organizations that own the data) and data processors (organizations that manage the data). If your organization uses the services of a third-party data processor that is not in compliance, then your organization is not in compliance. It is important to revise contracts with third party data processors that define how data should be managed and protected, as well as how breaches of data security should be handled.
For U.S.-based businesses, there is an increased need to evaluate consent. GDPR pushes companies to make updates that give consumers greater control over their personal data, including how it is shared and gathered. Furthermore, minors under the age of 16 need parental consent to share personal data, meaning that companies need to be mindful of adding age clauses to their privacy policies.
The GDPR imposes fines on companies that control and process data that are found to be non-compliant. Fines are determined based on the following criteria:
- Nature of infringement
- Preventative measures
- Data type
Organizations that are found to be non-compliant face fines as high as 4 percent of the company’s annual revenue.
There are specific requirements that organizations must meet to be compliant with the GDPR. These include:
- Need for consent from individuals – Consent requires that individuals opt-in to allow data processing with their information. The individual must have the right to revoke consent at any time. A child under 16 years of age cannot give consent and parental consent may be required on behalf of the minor
- Providing notification in the case of a data breach – In the case of a data breach, the GDPR requires a report to be made to a supervisory authority within 72 hours of becoming aware of the breach. If the breach causes individuals to be put at risk, they must notify all potentially affected individuals
- Safe transferring of data – A data protection impact assessment is required to be done if the transfer of any highly sensitive data has occurred. This includes information such as systematic and extensive profiling with significant effects, special categories of data including criminal history. Additionally, the assessment requires that organizations systematically monitor places that are publicly accessible on a large scale
- Establishment of data protection officers – The GDPR has provisions for organizations that are not based in the EU which require them to appoint a GDPR representative that is based in the EU and to whom supervisory authorities report to if there is a violation
The GDPR has specified 8 major Rights for individuals:
- Right to be informed – Individuals are allowed information about the collection and use of their data, the purpose for processing their data, how long the data will be stored, who the data is shared with and data breaches
- Right to access – Individuals can access their data. Individuals can receive confirmation that a business is collecting data and can receive a copy of that data
- Right to rectification – Individuals can have their data changed if there are inaccuracies
- Right to restrict processing – Individuals can work with organizations to restrict the processing of their personal data but only in certain cases
- Right to be forgotten – Individuals can request to have their information removed but only under certain circumstances
- Right to object – Individuals can object to having their data processed by an organization
- Right to data portability – Data portability gives individuals the ability to reuse their information as they determine to be appropriate as long as consent was given to collect the data
- Right to refuse automated decision making – Individuals have the right that decisions not be made solely on automatic processing in cases where there would be legal (or similar) effects
Since the GDPR does not have a single agency in charge of enforcing rules, each EU country must have supervisory authorities that work to enforce the regulations in the GDPR and impose fines for violations.
The duties of supervisory authorities include:
- Monitoring and enforcing regulations
- Handle and investigate complaints
- Keeping the public aware of risks, rules, protections and individual rights
- Monitoring the development of information and communication technologies
- Issue warnings, fines and bans for any violations found
Your Organization needs to conduct an audit to determine whether or not you are in compliance with the GDPR. An audit can help you identify areas that require improvement and keep you compliant.
Questions to ask during an audit include:
- How and where does your organization move and store data?
- Do you have a data protection officer?
- Who has access to the data your organization stores?
- Is your organization aware of GDPR notification requirements?
- Are your organization’s notifications clear?
- Is there a legal basis for processing and collecting data?
- Is there documented proof of your organization’s legal basis?
- What is your organization doing to manage data risks?
- What data does your organization have?
- What does your organization use the data for?
As you can see, it is crucial to make sure that your business is in compliance with the GDPR if you do any type of business that affects any citizen of the European Union. Fight the urge to convince yourself that since your company is not in the EU, the changes to the GDPR do not affect the way you do business. In a rapidly changing online world, data protections are changing to keep up with potential problems and challenges. Protect yourself and your organization by taking KnowledgeCity’s online course “General Data Protection Regulation” to help you more fully understand what individuals are entitled to with their data and how your organization can make key changes that will keep you in compliance with the GDPR.