In 2016 the European Union (EU) passed legislation that dramatically shifts regulations surrounding personal data collection and it is expected to impact companies globally. This new General Data Protection Regulation (GDPR) legislation is slated to take effect in May of 2018, and if this is the first you are hearing about it, the next few months could be critical to properly prepare your organization for its arrival. General Data Protection Regulation (GDPR) applies to any company, of any size, anywhere in the world, that offers its services to any EU Resident. GDPR will outlaw many standard business practices currently used. If your organization targets or provides services to anyone in the EU, it is almost certain that you will need to make data processing adjustments to become GDPR compliant.
What’s New?
A) Personal Data Definition
Personal data will now be defined as any data that could directly, or indirectly, be traced back to an individual that is not publicly available. This new definition is much broader than its predecessor and includes data such as IP Addresses, Cookie Identifiers, and even identifiers such as Gender.
Additionally, You Need:
- A legitimate reason to process personal data
- An intention for fair and lawful use of that data
In summary, the new GDPR legislation places a more cumbersome burden on businesses to have a legitimate and fair reason for personal data acquisition.
B) Data Breach Transparency
A GDPR infringement is most likely to be discovered and become enforceable in the event of a data breach. If your organization experiences a data breach, a notification must be sent to the Information Commissions Office, of the country the EU citizen resides in, within 72 hours of becoming aware of the breach. Any data subjects must also be notified if the breach is likely to result in any risk to their freedoms or rights.
C) Data Portability
Clients/individuals can ask for all their personal data to be provided in a structured and readable format and, when technically feasible, organizations must facilitate an electronic transfer from one to another.
Are you able to provide an individual with a copy of all his personal data? Can your systems handle such a request?
D) Core Principles
Opt-In Only
All Contacts must provide consent to be emailed
Sender must be able to prove consent was given
No Soft Opt-in
Implied Consent no longer enough
Disclaimers are not sufficient, users must actively opt-in
Right to be Forgotten
If a client/individual requests that their personal information be ‘forgotten,’ you must remove all identifying information from your systems
Why Should You Care?
As a business owner, you need to review your data collection processes and all information currently help in your systems, to see if anything fits this new, more broad definition of personal information. Additionally, ensure that any outbound marketing is given documentable consent from targeted consumers ahead of time and that your company utilizes Only Opt-In clauses for any additional consumer touchpoints.
In the event that you experience a data breach, leaving any individuals personal information vulnerable, be sure to alert the Information Commissions Office and to proactively notify any of the data subjects effected by the breach.
If you don’t…
You may face VERY hefty non-compliance fines. These fines can range up to, and potentially exceed, 20MM Euros (23.4MM USD)
Fines are dependent on three main criteria:
Duration of Infringement
Quantity of the Data Subjects Affected
Level of Impact
This new law can affect any organization anywhere in the world and is NOT limited to EU organizations. Be aware of the new laws and ensure that your data processing systems are prepared to handle these regulations before any legal action might be taken against your organization. Above all else, implement strong cybersecurity controls to keep your company from being the victim of a data breach.