The GDPR brings a new set of data regulations: Here’s what to know and if you need to do anything.
Over the past several months, conversations have arisen concerning the new GDPR, or General Data Protection Regulation created by the EU. It’s quickly moving from a casual bit of IT news to an important issue for companies creating long-term data strategies: In other words, it’s time to make some decisions about this new regulation. To help out, here’s what you need to know about the GDPR and why you should consider a response.
1. The GDPR Is More Far-Reaching Than You May Expect
Yes, the GDPR is an official EU standard, and it does not apply outside of the EU. However, this gives it a lot more reach than you might expect. Yes, it’s a European “regulation” (which is somewhat behind a “directive” but still very important), but it’s one that applies to the data of all EU citizens – including pre-Brexit Britain). That means if you have any customers, partners, or supply chain links in the EU (or want some in the future), you need to be aware of what the GDPR requires and of whom.
That’s part of the intent of the legislation: It’s designed to encourage data privacy and security practices among businesses across the world that want to deal with EU customers. And unless your company is highly separated into divisions, it’s also a good opportunity to update your data systems for all customers. On the downside, this may mean that it is no longer feasible to use data in the same ways that you did in the past. On the upside, the GDPR is broadly considered a win for customer privacy.
2. Controllers and Processors Are Targeted
The language of the GDPR makes it clear that “controllers” and “processors” are required to follow the new regulation. So what does that mean? Well, a controller is any entity that’s making decisions about what data is collected and how that data is used. A processor is any organization directly involved in collecting, storing, and transferring that data. Sometimes the controller and processor are the same organization, and sometimes one is just using the services of the other. Both must follow the GDPR
3. “Personal Data” Is a Key Phrase
Most of the GDPR is focused on protecting what it calls personal data – so naturally, everyone is curious about exactly what personal data means. The definition can change over time, and in fact one purpose of the GDPR was to expand that definition so that more types of data are protected. Under this regulation, personal data includes basic identification and contact information, but also IP addresses, economic data, health data, and cultural data – basically, anything that’s been collected about a specific person.
There are different ways of making personal data more or less anonymous by collecting it in aggregate or limiting how it is collected. The GDPR has more specific regulations for these cases, but basically, if the data can be traced back to an individual, there’s a good chance that the rules will apply.
4. The Heart of the GDPR Is Lawful Use and Consent
All right, so now we have covered personal data: What are companies supposed to do with it to meet the GDPR? There are several restrictions that businesses must follow:
- Data collected must be for a specific purpose.
- Data must be processed with consent, which is an affirmative action by the subject regarding specific data. That means limited autofill and no auto-acceptance for web forms. If consent isn’t really possible for the subject (for a variety of reasons), then the data processing must comply with any legal obligations or meet other standards (preventing fraud, etc.).
- Individuals can ask to see what data a controller holds on them.
- Individuals must be able to withdraw consent and have their data deleted at any time. They can also demand that their data be moved somewhere else, which means holding data in a compatible format.
- Once the specific purpose of the data processing is finished, the held data must be deleted. It cannot be held onto or passed onto any other organization not connected with the original purpose.
5. The Regulation Also Pertains to Data Attacks
If a data breach occurs, the organization must inform the proper authority (what body governs data security in the countries of the individuals whose data is held) within 72 hours, or face steep fines (fines greatly increased in the GDPR). This poses a bit of a challenge: As noted above, data must be kept in formats that are relatively easy to transfer to other organizations, but that data must also be protected against data threats.
6. IT Professionals Aren’t Prepared
A study by Imperva indicates that, for example, less than half of cyber security workers in the UK are even evaluating the requirements of the GDPR thus far. The number no doubt drops much further for the United States and other countries outside of the EU, which means organizations may be caught off guard. It’s important to find out if you need to conform to any part of the GDPR and what changes may need to be made in your systems to make sure that they are compliant.
Fortunately, not everyone is taken by surprise. Companies like Microsoft are working to make sure that their systems are GDPR compliant: It’s important to know if your vendor or software provider is doing the same.
7. The Deadline Is Currently in 2018
Specifically, the GDPR requires that companies be ready for the new regulations by May 25th, 2018. This isn’t much time, but remember that the EU has been working on their regulations for several years, so it seems reasonable to them.
It’s also important to note that when it comes to compliance, dates are rarely entirely in stone: They tend to get pushed back or allow organizations to file for more time. However, that doesn’t mean you should get lazy!
Not sure if the services you use will be compliant? Find out! We can help Mansfield companies learn more about the services they need and the latest solutions to data dilemmas. Contact Spade Technology to learn more, either at (508) 339-5163 or by sending us a message at email@example.com.