On Friday, May 25, 2018, a European Union law that has been described as the biggest shakeup of personal data privacy rules since the birth of the Internet came into force. Called the General Data Protection Regulation (GDPR), it was already passed by the European Parliament in 2016, but now with its implementation it overrides other laws relating to data privacy that had previously been ratified by individual European countries. And its influence will extend beyond Europe, because it will apply also to all companies and organizations collecting and processing personal data provided by individuals living in the EU. Businesses that do not comply could face heavy fines.
GDPR defines personal data as “any information relating to an identified or identifiable natural person.” That includes the person’s name, address, email address, contact information, ID numbers, financial information, IP address, geolocation, browsing history, cookies and other digital identifiers. It also includes data about a person’s physical, mental, sexual, social, economic or cultural identities.
Concerning how organizations and companies handle such data, GDPR declares that individuals living in the EU have certain basic rights. These include: (1) the right of access, meaning that they may ask for a copy of the personal data being retained about them and request an explanation of how it is being processed; (2) the right to rectification, by which they can demand that personal information about them be corrected, revised or removed; (3) the right to be forgotten, allowing them to demand that all personal data be deleted; (4) the right to restrict processing, meaning that they can limit the use of their personal data; (5) the right of portability, according to which individuals have the right to receive their personal data in a structured, commonly used and machine-readable format; and (6) the right to object, by which the individual is allowed to decide that they no longer wish to allow their personal data to be included in analytics, or to receive direct marketing emails or other personalized targeted marketing content.
GDPR potentially applies to all companies and organizations, but compliance is more cumbersome for bodies with more than 250 employees. Home and household users are exempt, meaning that sending emails from your personal Outlook or Gmail account is still okay.
But if you are business holding onto personal information in a digitized format, as most businesses today are, and you are located and/or interact with individuals living in the European Union, you may be impacted, if in any way your business relies on that information being processed.
Not only does this require collecting personal data in a lawful manner, and processing it only in the way that the individual to which it refers understood you would, but it also means that must you must take the appropriate measures to ensure that the data does not fall into the hands of others. This means that you cannot transfer personal data to other parties without consent, and also means that you must take reasonable steps to ensure that the way you store or handle the data is secure from hacking. This could include storing the information on an encrypted cloud-based server, malware protection, and using a VPN when hooking to the Internet via a public hotspot. And if you are hacked, then you are obliged to report this fact to the relevant data breach authority within 72 hours of becoming aware of it.
What are the basic steps that a company should take to prepare for the new GDPR environment?
(1) Document what personal data you hold. Know what information you possess, how you got it, who you can share it with, what you can do with it, and whether it’s still relevant and necessary for the purposes you collected it.
(2) Establish a lawful basis for processing data. This may require consent from the individuals supplying their data, for limited period of times and for narrowly defined purposes.
(3) Be certain that you can honor data requests, which means demands to reveal what information you have, as well as deleting, amending or moving data to a different organization. Such requests need to be fulfilled within one month.
(4) Be able to demonstrate that you have taken reasonable measures to protect the data you hold, and in the event that there is breach of security you must report it within three days of first learning that it occurred.
(5) Consider appointing a Data Protection Officer to oversee the process, particularly if you are an organization with more than 250 employees.