If your business targets consumers in any of the 28 countries that make up the European Union, there’s a regulatory crossroads in your very near future.
In May 2018, the EU is implementing the General Data Protection Regulation (GDPR), a sweeping (260+ pages) replacement for a patchwork of national legal frameworks for the protection of personal data. More than four years in the making, the GDPR is intended to strengthen and unify data protection for individuals within the EU.
To do so, the GDPR imposes new obligations on businesses – anywhere in the world – that collect personal information from individuals residing in the EU, or that use or process such personal information. In parallel, the GDPR gives European consumers new rights and control over their personal data, including the so-called “right to be forgotten.”
There are four key attributes of the new regulation that demand the attention of any business that falls under its jurisdiction: the scope of the data it covers, its geographic impact, the new requirements that businesses must meet in order to comply, and the penalties for noncompliance.
Scope of data
“Exhaustive” might best describe the types of information that are required to be protected under the GDPR. In addition to the usual topics – such as names, dates of birth, and government ID (comparable to U.S. Social Security numbers) – the GDPR’s definition of personal data also includes home addresses, IP and email addresses, computing devices’ identifiers, online financial information, medical records, and a wide assortment of user-generated data, including social media posts and personal images uploaded to any website.
In a nutshell, virtually all personal data pertaining to European citizens or residents is considered theirs to share, or not; and businesses – referred to as “data controllers” or “data processors” – are obliged to protect it.
The geographic reach of the GDPR also deserves attention. Any company outside the European Union that is targeting consumers within the EU will be subject to the GDPR. Its protections extend far beyond those citizens of the 28 EU nations who reside within the EU.
Also protected are EU citizens who happen to reside anywhere else in the world, as well as the non-citizen residents of any EU nation, regardless of nationality. As European consumers increasingly communicate with businesses on other continents that collect, use, or process their personal data, the impact will be genuinely global.
New mandates for business
Highlights of the many new requirements that the GDPR makes of businesses are:
- Consent – Consent must be given before any personal information can be processed.
- Data Protection Officer – Companies with more than 250 employees must appoint a Data Protection Officer.
- Privacy Impact Assessments – For “risky” processing of personal data, data controllers must conduct Privacy Impact Assessments.
- Documentation – Data controllers and processors must document all of their processing, and make documentation available on request.
- Data Breach Notification – Within 72 hours of learning of a breach that affects personal data, companies must notify the relevant EU authority. In addition, consumers affected by a data breach must be notified by the data controller.
Penalties for noncompliance
The penalties that the GDPR specifies for companies that are not in compliance are stiff. They escalate from a formal written warning, to regular periodic data-integrity audits (which involve giving an auditor access to sensitive or proprietary information), to fines of up to 20 million Euros or 4 percent of a company’s worldwide revenue, whichever is greater.
The GDPR has been described by one of its legislative sponsors as “a fierce European ‘yes’ to strong consumer rights,” and it will clearly have an impact on all businesses that target those consumers. How should businesses prepare? A sound strategy will include taking an organization-wide view of data protection – one that includes the business needs and opportunities posed by personal data, as well security and technology concerns.
More tactically, there are technology solutions that can help any organization meet the GDPR requirements for secure capture, processing, management, and storage of personal data. We’ll have more to say about these in the next installment of this blog series.