Data security is a global problem that crosses all international borders, time zones and currencies. Cyber criminals based in one part of the world can freely target companies or individuals across the globe in a matter of seconds. Therefore, your organization’s cybersecurity posture must be agile and able to monitor, detect and respond to incoming threats regardless of the time of day, your nation’s native language or other considerations.
In response to the fast-changing global cybersecurity landscape, legislators in the European Union recently adopted a unified data security law that is intended to help bolster cybersecurity in that part of the world.
What is the GDPR?
The European Union General Data Protection Regulation (GDPR) is the most significant change to data privacy in the EU in more than two decades. The new law replaces the Data Protection Directive 95/46/EC, which was adopted in 1995, and is intended to standardize data privacy laws across the EU.
When it goes into effect, the full text of the GDPR will apply the same data security rules and standards for all companies offering goods and services in the EU, both those based in the EU and those located outside the union, but doing business with EU citizens.
When Does the GDPR Go Into Effect?
The GDPR was approved by the European Union Parliament in April 2016 to go into effect two years after that approval. Therefore, enforcement of the new law is expected to begin in May 2018. Proficio has expert cybersecurity analysts on staff who can help your company gain compliance with the GDPR or any other compliance regulation, such as HIPAA or PCI DSS.
What Counts as “Personal Data” Under the GDPR?
The GDPR regulates the collection and storage of “personal data.” Under the law, personal data is defined as any information related to a natural person, or “data subject,” that can be used to directly or indirectly to identify that person. Personal data could be a person’s name, an identification number, location data or an online identifier such as a digital advertising “cookie” or an IP address. Factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a person might also constitute personal data under the GDPR.
Sensitive personal data is further defined in the law as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and data concerning a person’s health or sex life. Data relating to criminal offenses and convictions also are treated by the GDPR as sensitive personal information, which is subject to additional protections and restrictions under the new law.
Which Businesses are Covered by GDPR?
It is important to note that the GDPR governs all companies that offer goods and services and covers more than just business or organizations that are based in the EU. (Tweet This Stat!) The GDPR is far-reaching and will apply to companies that are located outside the EU if they offer goods or services to, or monitor the behavior of, EU residents. Therefore, all companies or organizations that process or hold the personal data of data subjects residing in the EU will be covered by the law, regardless of the company’s physical location.
What are the Primary Changes in the GDPR?
The most significant change to data security in the EU contained in the GDPR is extended jurisdiction of the law. The reach of the GDPR is being expanded to encompass all companies processing personal data of EU residents, even those companies based outside of the EU. Driven by recent court cases that were unclear on whether previous data security laws applied to companies based outside of the EU, legislators expressly stated that the law will apply to any processing of data from EU sources, whether or not the company doing the processing is based in the EU.
The penalties for violating the GDPR also have been beefed up, providing for fines up to four percent of a company’s annual revenue or 20 million euros, whichever is greater. Companies that do not have sufficient customer consent to process consumer data or otherwise violate the terms of the GDPR could face stiff fines.
A third major change that the GDPR imposes that was not part of previous EU data security laws is regarding consent. Under the GDPR, companies will no longer be able to use confusing illegible terms and conditions filled with hard-to-understand legal terms. Instead, the request for consent to collect or store personal data must be intelligible and easy to access, using clear and plain language. Consumers must also be able to withdraw their consent as easily as they gave it.
Breach notifications are another major change in the GDPR and will become mandatory when a data breach is likely to result in a risk for the rights and freedoms of individuals. The breach notification must be issued to customers within 72 hours from when the company first became aware of the breach.
What About Brexit and the GDPR?
With the United Kingdom leaving the EU, many questions are being raised about whether residents of England, Scotland, Wales and Northern Ireland will be covered by the GDPR. While the answer remains in flux, the current posture is that if your company processes data while selling goods or services in other EU countries, then compliance with the law would be required for transactions involving UK residents, even after Brexit.
However, if your business activities are limited to the UK, the answer currently is less clear. The UK government has said it will adopt similar or equal data security to what is in the GDPR, but a decision on how the matter will be governed by the UK in a post-EU world is not yet known.
If the matter is not sorted out by May 2018 when the GDPR goes into effect, the old adage of “better to be safe than sorry” would apply and companies would be advised to meet the GDPR requirements for collecting and storing personal information, even for UK residents, at least until a clearer path forward is defined.
What Your Organization Can Do Now to Prepare for the GDPR
The new GDPR rules and regulations don’t go into effect until May 2018, but there are steps that can be taken before then to help prepare your organization to comply with the changes.
- Review your current data collection and processing procedures and determine whether your organization is handling data that falls under the GDPR’s expanded definitions for personal data. In particular, be aware of what can be included as an “identifiable natural person” as it relates to the definition of personal data.
- If your company or organization relies on consent for gathering personal data, review your current consent mechanisms to ensure they meet the stronger requirements in the GDPR.
- Review the data protection language your organization currently uses in HR, IT and other department policies and update them as necessary to reflect the coming changes from the GDPR.