Since May 25, 2018, a set of new rules police the digital economy changing the game for the collection and processing of personal data. These set of rules came to be known as the General Data Protection Regulation. Shortly called GDPR, this regulations in fact form part of a European Union law, legislating as well the European Economic Area. However, the effects of this legislation have larger implications as it also addresses the export of personal data outside the EU and EEA areas.
If you are an oversea business, you might think this is of no interest to you, but think twice; GDPR has far-reaching effects beyond European borders, as North American companies will have to comply with the new regulation when doing business within the EU and the EEA.
Following the law’s entry in effect, we have seen widespread adoption of GDPR standards by some of the major multinationals, incurring the « Brussels effect », a phenomenon wherein European regulations are used as international baseline due to their global implications. Indeed, in the steps of GDPR, California passed a similar bill called The California Consumer Privacy Act of 2018.
Amidst all of this contextualization, you might be confused as to what this entails for your business. It is important to remember that GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU and the EEA.
According to the GDPR directive, a name, a photo, an email address, bank details, updates on social networking websites, location details, medical information, or a computer IP address are examples of personal data, defined as any information related to a person. Moreover, no distinction is meant between personal data about individuals in their private, public or work roles. Under the GDPR, individuals have:
- The right to access – conceding individuals the right to request access to their personal data and ask how their data is used by the company after it has been gathered. The company must provide a copy of the personal data, generally free of charge and in electronic format if requested.
- The right to be forgotten – individuals have the right to request that organisations delete their personal data, in certain circumstances.
- The right to data portability – allowing individuals to transfer their data from one service provider to another, in a commonly used and machine readable format.
- The right to be informed – making mandatory the advisal of individual’s data gathering prior it is gathered. Consumers have to opt in for their data to be gathered, and consent must be freely given rather than implied.
- The right to have information corrected –ensuring that individuals can request to have their data updated if it is out of date or incomplete or incorrect.
- The right to restrict processing – permitting requests that an individual’s data is not used for processing. Their record can remain in place, but not be used.
- The right to object –including the right of individuals to stop the processing of their data for direct marketing.
- The right to be notified – Individuals will be notified of a breach of security involving their personal data if the breach represents a high risk to them.
In order to accomplish this, appointing a data protection officer who could ensure adherence to GDPR stipulations is prescribed for certain organizations. Your data protection officer should re-examine the business’s data relationship with all existing customers; ensure mechanisms such as internal policies, external policies, and vendor agreements are in place to honor withdrawal of consent; review and update any and all contracted relationships so that those relationships also adhere to GDPR; ensure existing security and privacy programs are in line, and determine whether or not local and international requirements correspond with GDPR.
As the GDPR is a regulation, not a directive, not abiding by its rules could prove to be costly. In some cases, violators of the GDPR may be fined up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.
And even if you thought, when first announced in 2016, that there was plenty of time for your businesses to take the necessary preparatory steps, you might feel, like many companies, still scrambling, even after the deadline has passed. Despite that, GDPR has garnered support from large businesses who regard it as an opportunity to improve their data management. Mark Zuckerberg even went on to call it a « very positive step for the Internet ». But, for smaller businesses, the resources to abide by might not be readily available. To find out more about how to timely prepare for GDPR, we have coming up a great blogpost on 5 steps to make your business GDPR compliant.