Many have heard tidbits about the acronym “GDPR,” but do not understand the regulation or feel that it doesn’t apply to their organization since it is a European Union law. Surprisingly, even without locations or affiliations in the EU, companies here in the United States may be subject to hefty fines for noncompliance.
In addition to the risk of damaging reputation, noncompliance with the GDPR may have significant financial consequences. Data protection supervisory authorities may impose administrative fines of up to €20 million or 4 percent of the total global turnover. This should cause concern and make GDPR compliance the utmost importance for organizational leadership. (Not complying with the GDPR can also make you a target for cybercrime. Learn more in How Cybercriminals Use GDPR as Leverage to Extort Companies.)
Where does it apply and what is the impact?
The General Data Protection Regulation (GDPR), put into place by the European Union on May 25, 2018, is designed to ensure that organizations are adequately protecting the privacy rights of individuals concerning the processing of personal data. It is the most significant change in data privacy in the EU in more than 20 years.
The GDPR applies to all organizations that have an establishment in the EU, but also, it marks a significant expansion of the territorial scope of the EU data protection regime. This extra-territorial reach is triggered if companies meet one or more of the following conditions:
- Goods and services are offered to EU citizens
- The behavior of EU citizens is monitored (e.g., by using cookies on websites)
- Personal data is processed in the context of an establishment (e.g., an affiliate) in the EU
How do companies demonstrate compliance with GDPR?
The GDPR sets out seven major principles that all organizations are required to comply with when they process personal data:
Lawfulness, Fairness, and Transparency
There must be a legal justification for processing personal data and the reason for processing must be transparent to the data subject.
Personal data must be collected for specified, explicit and legitimate purposes, and not further processed in a way incompatible with those purposes.
All personal data collected must be limited to what is necessary in connection with the purpose for collecting it.
Personal data must be accurate, and where necessary, be kept up to date.
Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
Integrity and Confidentiality
Personal data must be processed in a way that ensures appropriate security of personal data.
The controller shall be responsible for, and be able to demonstrate, compliance with the principles.
Accountability is one of the most important new requirements under the GDPR. Accountability means that the organization must show that it can comply with the GDPR. Companies must be able to demonstrate compliance to meet the accountability requirement, which includes:
- Appointing a data protection officer or local representative, where necessary
- Completing and maintaining records of data processing activities
- Assessing the appropriate level of data security and implementing appropriate technical and organizational security measures
- Implementing data protection by design and by default and documenting the measures taken; carrying out data protection impact assessments, where necessary
It’s about protecting the data privacy rights of individuals!
The GDPR defines “data subjects” as “identified or identifiable natural person[s].” In other words, EU citizens that may be employees, customers, suppliers, or others from whom or about whom companies collect information in connection with business and/or operations. The GDPR also spells out certain rights for its data subjects:
Right to Information
Data subjects have the right to be informed about the collection and use of their personal data.
Right of Access
If processing personal data of data subjects, they have the right to access this information and obtain a copy.
Right of Rectification
Data subjects are entitled to have their personal data rectified if it is inaccurate or incomplete.
Right of Erasure
Enables data subjects to request that data is deleted or permanently removed, including from backup systems.
Right to Restrict Processing
Data subjects may request that companies restrict the processing of their personal data.
Right of Data Portability
Data subjects may submit a request to receive their personal data in a structured, commonly used and machine-readable format or instruct that their personal data is transmitted directly to another data controller.
Right to Object
Data subjects have the right to object to processing of their personal data.
Automated Decision Making (including profiling)
The purpose of this right is to provide safeguards for data subjects against the risk that a potentially damaging decision is taken without human intervention.
Withdrawal of Consent
Data subjects must be allowed to withdraw any consent given (e.g., consent to receive marketing email, etc.) at any time without penalty.
Organizations should have procedures in place to respond to data subject requests (DSRs) regarding the rights mentioned above. The legal basis, processing data, or other factors will dictate how your organization responds to a DSR, so it is essential to consult with legal professionals that have expertise regarding the GDPR. (Protecting customer data is paramount in the GDPR. Learn more in Is Your Customer Data Really Safe? How It Can Be Exposed.)