The General Data Protection Regulation (GDPR) is expected to set a new standard for consumer rights regarding their data, but companies will be challenged as they put systems and processes in place to comply.
The European Parliament adopted the GDPR in 2016, replacing an outdated protection directive from 1995. It carries provisions that require businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. The GDPR also regulates the exportation of personal data outside the EU. The provisions are consistent across all 28 EU member states, which means that companies have just one standard to meet within the EU. However, that standard is quite high and will require most companies to make a large investment to meet and to administer.
But can they enforce the GDPR in the United States? The answer is yes, as proven by Privacy Shield that passed in 2016, the United States government is fully prepared to cooperate in the enforcement of privacy laws enacted by the EU.
“Any business that collects even anonymous information from EU residents will be subject to GDPR compliance and, in the event of noncompliance, hefty fines”
Compliance will cause some concerns and new expectations of security teams. For example, the GDPR takes a wide view of what constitutes personal identification information. Companies will need the same level of protection for things like an individual’s IP address or cookie data as they do for a name, address and Social Security number.
The two primary GDPR concerns for US companies include:
Data Permission (protection) – This includes how you manage email opt-ins or people who request to receive promotional material from you. People need to express consent in a ‘freely given, specific, informed and unambiguous’ way, which is reinforced by a ‘clear affirmative action’.
For EU based companies, you have even more concerns:
- Timely Breach Notification – If a security breach occurs, you have 72 hours to report the data breach.
- Right to Data Access – If users request existing data profile, you must be able to provide them with a fully detailed and free electronic copy of the data you collected.
- Right to Be Forgotten – Your customers have the right to request that you totally erase their personal data.
- Data Portability – This gives users rights to their data. They must be able to obtain their data from you and reuse that same data in different environments outside of your company.
- Privacy by Design – This section of GDPR requires companies to design their systems with the proper security protocols in place from the start.
- Potential Data Protection Officers – In some cases, your company may need to appoint a data protection officer (DPO).
The GDPR defines several roles that are responsible for ensuring compliance: data controller, data processor and the data protection officer (DPO). The data controller defines how personal data is processed and the purposes for which it is processed. The controller is also responsible for making sure that outside contractors comply.Though the task seems daunting, compliance is extremely important and necessary when moving your company forward.
For more information on how TAG can help your company become compliant, or to request a compliance please visit our website for more information.