What is GDPR? In a Nutshell. The General Data Protection Regulation, if it becomes law, would impact any company that gathers, processes, or stores data from individuals in the European Union—that is, virtually every company that does business in the EU.
Additionally, Over the past few years, several high-profile data breaches have flooded news and social channels, from Yahoo to eBay and most recently with Equifax. Now, more than ever, age protecting customer data is more critical, even crucial, and the EU is taking no chances by announcing a strict new set of rules for anyone choosing to do business within its network of nations.
On the 25th of May 2018, the General Data Protection Regulation (GDPR) will be enforced in all European Union (EU) member states. GDPR is one of those abbreviations, that is, making “the rounds”, but what does it really mean for your Organization? Citing the EU: “If you process data about individuals in the context of selling goods or services to citizens in other EU countries then you will need to comply with GDPR”. Meaning anything you sell will need to adhere to a set of strict rules when processing personal customer information. Non-compliance with this regulation can result in heavy fines. A breach can result in a €20,000,000 ($24,637,200 USD) or 4% of global yearly revenue! In the world today, it is likely that this relates to your products or services. Under this regulation, a user’s IP address or email will require the same level of protect as a National insurance or a Passport number; It’s all Personal identifiable information (PII).
The goal of GDPR is to protect Citizens (Data subject) from privacy and data breaches. In a society where we are reliant on our data being held by many different bodies; this is a regulation designed to look after our best interests. But practically, how is this achieved? The EU has set out a number of new rights for Data subjects:
Notification of Breach
If a data breach is likely to risk an individual’s privacy, the data subject must be notified within the first 72 hours of the finding.
Right to Access
An individual has the right to obtain confirmation if their personal data is being processed by an organization, and for what purpose. The organization must also provide a copy of the personal data, free of cost, in a digital format.
Data Erasure
The right to be forgotten empowers the individual to instruct the organization to erase his/her personal data.
Portability of Data
Customers may receive personal data concerning them, which they have previously provided and can send this to another organization.
Privacy by Design
Data protection must be included during the conception of the design of a new system. Organizations must only hold and process data absolutely necessary for their obligations. (This is also called data minimization).
Data Protection Officers
Instead of notify local Data Protection Authorities (DPAs) of data processing activities, there will be internal record keeping requirements. Appointment of a Data Protection Officer (DPO) will be mandatory in organizations whose core activities are related to processing and monitoring of customer data.
Will GDPR help you, your organization and users? Although the regulation comes with additional red-tape, it also brings a common set of practices that will eventually become a standard way of working.