The GDPR, or General Data Protection Regulation, is going to go into effect on May 25th, 2018. Now, what exactly does that mean for you? Well, it depends on a lot of things and can drastically impact you or your business. Here’s a guide on how to help determine if the GDPR affects you and how to make sure you stay up to standards.
WHAT IS THE GDPR?
First, let’s take a look at what the GDPR is and why it’s such a big concern. In 2016, the European Union approved a new set of data privacy laws and regulations that would protect the personal data of EU citizens. These regulations are meant to help simplify and organize data protection across the various European countries into a unified system.
So, what is exactly does the GDPR protect? Well, it protects personal data. More specifically, the personal data of EU citizens and residents.
WHAT CONSTITUTES PERSONAL DATA?
Under the GDPR, personal data is the information that identifies you as a unique individual or, as the technology industry thinks of it, the lines of code that Neo sees in the Matrix. Names, email addresses, phone numbers, social security numbers, credit scores, and a lot more sensitive information fall under the category of personal data. This data is handled by companies, governments, and organizations for countless reasons, such as targeted advertising and personalized shopping experiences. Personal data is a very broad definition and encompasses information that can identify you. That information includes your name, address, and even your genetics.
More highly sensitive information has its own definition, known as special categories. These categories include, but aren’t limited to race, ethnicity, political affiliations, biometrics, health information, and sexual orientation.
From background checks on job applicants to digital analytics tracking for marketing purposes (the reason why all those advertisements seem oddly specific) there are a lot of ways your information is collected and redistributed. The problem is that often times these groups use that information however they see fit and they could get this information without your consent.
WHAT IT DOES
The GDPR works as a blanket of regulation that is meant to aid in the protection of personal data for people residing in the EU. The regulation ensures that personal data is only collected for legitimate interests that have legal backing. In addition, the GDPR enforces punishments for those found violating the regulations. It also makes consent a main focus, ensuring that consent is freely given and well-informed.
It also establishes regulations over two categories for businesses and organizations, that of COLLECTOR and PROCESSOR. Businesses fall into either role if they collect, process, or use personal data collected from EU residents. The Processor is the organization which processes data for a Controller. That means performing any operation on personal data, whether it’s automated or not. A Controller, on the other hand, is the organization that collects, records, stores, transmits, disseminates, or otherwise possesses personal data.
So, the question becomes, “what does this have to do with me?”
WHO THE GDPR AFFECTS
The answer is complicated, but with a little work you can figure it out! First, ask yourself this question. Is your business established in the EU? Establishment, in the case of the GDPR, ranges from having employees, business locations, or any other stable human and technical resources in the European Union. If you do, then the GDPR will affect you.
Next question, does your website or your marketing target people or locations in Europe? Specifically, would your website offer translations into European languages, accept local currency, utilize directed advertising in the EU, or list job offers in the EU? If you do, then the GDPR will apply to your collection of personal data.
Additionally, if you process large amounts of data through analytics systems that track or profile behaviors, you should understand how the GDPR could apply to you.
BASIC RESPONSIBILITIES AND OBLIGATIONS
So, you know that the GDPR is going to affect you. What are your duties to your users? Well, if you’re a Processor they’re relatively light. You still need to secure the data provided by the Controller. Additionally, you’re required to follow the rules that Controller provides on how to process the information. However, the tools you use to process the data are up to you. If, as a Processor, you have a breach occur your only required obligation is to inform the Controller whose data was breached.
Now, the Controllers. The burden of compliance falls onto you. You are required to provide data protection, gain consent from the users, possess robust privacy notices, and most importantly report data breaches.
Additionally, you should appoint a Data Protection Officer (DPO) if you’re a public authority, engaged in large-scale systematic monitoring, or process large amounts of personal data that falls under the sensitive category. Their responsibility is to map where your data paths, report breaches and violations to the supervisory authority, document all processes to protect your business, and ensure that you have an incident response plan.
GDPR Data Breach Requirments: BRACE FOR IMPACT
Data breaches are one of the main considerations of the GDPR. There are three categories of breaches and you should understand that each one is a major risk for your business. The first is Confidentiality, or unauthorized access or disclosure of data. This is where a hacker, employee, or other individual gains access to information they shouldn’t have. The second is an Integrity breach. This breach occurs when data your business possesses or controls becomes corrupted or is deleted, leaving it incomplete. The final breach is an Availability breach, which occurs when access to the information is restricted. This typically is related to ransomware, when an entity holds your data hostage in return for ransom.
Regardless of what sort of breach occurs, what you’re required to do remains the same. You have a 72-hour window to notify a supervisory authority within becoming aware and having a reasonable degree of certainty that the data was breached. That means that if there is suspicion of a breach, you have a short window to investigate before you have to announce it. Furthermore, you have to determine if the breach falls under high risk. If the breach contained sensitive personal data, you will need to inform the affected individuals.
A security breach isn’t the only type of breach that the GDPR looks for. Failure to comply, violating the basic principles of the GDPR, and refusal to gain proper consent are all considered a breach of compliance.
So, what’s the punishment for failing to abide by the GDPR? Well, there are two levels and neither is pleasant. How the punishments are meted out will be determined on a case by case basis and will depend on the severity of the breach. A level 1 fine can run up to 10 million Euros or 2% of your global annual turnover, whichever is higher. A level 2 fine is up to 20 million Euros or 4% of your global annual turnover, again whichever is higher.
We recommend doing your best to avoid both a breach of compliance and in security.
What to Do to Become GDPR Compliant