WHAT IS THE GDPR?First, let’s take a look at what the GDPR is and why it’s such a big concern. In 2016, the European Union approved a new set of data privacy laws and regulations that would protect the personal data of EU citizens. These regulations are meant to help simplify and organize data protection across the various European countries into a unified system. So, what is exactly does the GDPR protect? Well, it protects personal data. More specifically, the personal data of EU citizens and residents.
WHAT CONSTITUTES PERSONAL DATA?Under the GDPR, personal data is the information that identifies you as a unique individual or, as the technology industry thinks of it, the lines of code that Neo sees in the Matrix. Names, email addresses, phone numbers, social security numbers, credit scores, and a lot more sensitive information fall under the category of personal data. This data is handled by companies, governments, and organizations for countless reasons, such as targeted advertising and personalized shopping experiences. Personal data is a very broad definition and encompasses information that can identify you. That information includes your name, address, and even your genetics. More highly sensitive information has its own definition, known as special categories. These categories include, but aren’t limited to race, ethnicity, political affiliations, biometrics, health information, and sexual orientation. From background checks on job applicants to digital analytics tracking for marketing purposes (the reason why all those advertisements seem oddly specific) there are a lot of ways your information is collected and redistributed. The problem is that often times these groups use that information however they see fit and they could get this information without your consent.
WHO THE GDPR AFFECTSThe answer is complicated, but with a little work you can figure it out! First, ask yourself this question. Is your business established in the EU? Establishment, in the case of the GDPR, ranges from having employees, business locations, or any other stable human and technical resources in the European Union. If you do, then the GDPR will affect you. Next question, does your website or your marketing target people or locations in Europe? Specifically, would your website offer translations into European languages, accept local currency, utilize directed advertising in the EU, or list job offers in the EU? If you do, then the GDPR will apply to your collection of personal data. Additionally, if you process large amounts of data through analytics systems that track or profile behaviors, you should understand how the GDPR could apply to you.
BASIC RESPONSIBILITIES AND OBLIGATIONSSo, you know that the GDPR is going to affect you. What are your duties to your users? Well, if you’re a Processor they’re relatively light. You still need to secure the data provided by the Controller. Additionally, you’re required to follow the rules that Controller provides on how to process the information. However, the tools you use to process the data are up to you. If, as a Processor, you have a breach occur your only required obligation is to inform the Controller whose data was breached. Now, the Controllers. The burden of compliance falls onto you. You are required to provide data protection, gain consent from the users, possess robust privacy notices, and most importantly report data breaches. Additionally, you should appoint a Data Protection Officer (DPO) if you’re a public authority, engaged in large-scale systematic monitoring, or process large amounts of personal data that falls under the sensitive category. Their responsibility is to map where your data paths, report breaches and violations to the supervisory authority, document all processes to protect your business, and ensure that you have an incident response plan.
GDPR Data Breach Requirments: BRACE FOR IMPACTData breaches are one of the main considerations of the GDPR. There are three categories of breaches and you should understand that each one is a major risk for your business. The first is Confidentiality, or unauthorized access or disclosure of data. This is where a hacker, employee, or other individual gains access to information they shouldn’t have. The second is an Integrity breach. This breach occurs when data your business possesses or controls becomes corrupted or is deleted, leaving it incomplete. The final breach is an Availability breach, which occurs when access to the information is restricted. This typically is related to ransomware, when an entity holds your data hostage in return for ransom. Regardless of what sort of breach occurs, what you’re required to do remains the same. You have a 72-hour window to notify a supervisory authority within becoming aware and having a reasonable degree of certainty that the data was breached. That means that if there is suspicion of a breach, you have a short window to investigate before you have to announce it. Furthermore, you have to determine if the breach falls under high risk. If the breach contained sensitive personal data, you will need to inform the affected individuals. A security breach isn’t the only type of breach that the GDPR looks for. Failure to comply, violating the basic principles of the GDPR, and refusal to gain proper consent are all considered a breach of compliance. So, what’s the punishment for failing to abide by the GDPR? Well, there are two levels and neither is pleasant. How the punishments are meted out will be determined on a case by case basis and will depend on the severity of the breach. A level 1 fine can run up to 10 million Euros or 2% of your global annual turnover, whichever is higher. A level 2 fine is up to 20 million Euros or 4% of your global annual turnover, again whichever is higher. We recommend doing your best to avoid both a breach of compliance and in security.
Do You Need More Help Preparing for the GDPR?
We know this is only scratching the surface of the GDPR and that there are many more details and questions you may want to be answered. For more information, our Support Department at TheeDigital is here to help! Please go to our support page to submit a support request and our team will get back to you promptly. Also, there are a variety of helpful FAQs that might answer your question right away!