General Data Protection Regulation (GDPR)
This sweeping cybersecurity legislation, the first of its kind of this magnitude, will go into effect on May 25, 2018. All companies in the United States that do business in the EU will need to change the way "personal data" is obtained, stored and secured in order to comply with the new law.
For purposes of this law, personal data is defined as "Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
This definition includes a series of identifiers including name, online identifiers and location data. What this means is, now personal data is any data that has been gathered that could either directly or indirectly linked back to someone (such as an IP address). This change means the key thing companies must do is review their current data collection process to see if they gather and hold any data that Is now included in the much broader definition of personal data.
With the GDPR, there will be greater specification around many areas that affect personal data resulting in more obligations to companies that are controlling and using it. Yet, understanding how to process data fairly and lawfully will enable businesses to meet compliance regulations, to use the data for legitimate purposes and help their customers feel their personal data is secure and processed correctly.
If your company needs help getting ready for, or complying with, the new law, contact us to speak with one of our GDPR Compliance experts.