BY JAKE GIBSON, Chief Compliance Officer and Chief Security Officer, LightEdge Solutions
While a mainstream discussion about personal data privacy and regulation continues here in the United States, the European Union (EU) has enacted regulations that are wide-ranging, large in scope and could affect companies in America.
The General Data Protection Regulation, or GDPR for short, was adopted by the EU on April 14, 2016, but just took effect on May 25 after a two-year transition period. It replaced an outdated version of EU data protection laws from 1995 and applies across all 18 of its members.
The GDPR gives unified data regulations for people within the EU.
Past regulations only applied to companies within the EU, but the GDPR widens the scope, extending data protection regulations to companies located outside of the EU. If a company in the United States stores the personal data of an EU resident in a data center stateside, it now falls under the GDPR.
The significance of the new regulations hasn’t been fully grasped yet — lawyers are poring over some of the vague phrasing — but becoming compliant is crucial if you do business in Europe and store data of EU residents on your servers.
In this blog, I will run you through some of the basics of the GDPR and what to do to catch up if you have fallen behind.
What are some of the big changes?
There are a lot of changes in the GDPR, but here are a few of the biggest ones.
Perhaps the largest requirement is consumers opting into the collection of their personal data rather than opting out. If you’ve seen some of your favorite applications or websites sending you updated terms and service agreements lately, this is why.
Before the GDPR, many companies required customers to opt out of any data-collecting agreement with any services they used. The GDPR makes it so companies cannot collect consumer data unless those consumers specifically opt in. Simply checking a box at the bottom of the terms and services, which hardly anyone reads in full, isn’t enough anymore.
Companies processing personal data must disclose what data is being collected and how, why it is being processed, how long it is being retained and if it is being shared with any other parties.
Another big change is the length of time companies are allowed to store data. After an individual consents, companies are allowed to keep data for “no longer than is necessary for the purposes for which the personal data are processed.” Individuals may also request that their data be erased, with some exceptions, at any time.
In the event of a data breach, companies must report to authorities and the individuals affected within 72 hours of when the breach was detected. Companies affected by the data breach must also do an impact assessment after the breach to identify ways to mitigate breaches and prevent them.
The GDPR is a big change, and it’s difficult to grasp all alone. Even expert lawyers are still trying to wrap their heads around some of the text. For example, the GDPR says companies must provide a “reasonable” level of protection for personal data, but it doesn’t define what “reasonable” is.
For that reason, I’d recommend getting outside help. There are audit firms that will walk your company through the GDPR and assist you in a gap analysis. A gap analysis will determine where your company is relative to the GPDR and where it needs to be to become compliant.
There are some steep penalties for not adhering to these regulations. The penalties can reach up to 20 million euros (about $23 million) or 4 percent of global turnover, whichever is higher. But looking beyond monetary penalties, complying with these regulations can only help your company gain trust with customers.
Even if you aren’t directly affected by the GDPR, you should keep an eye on it. The GDPR could be an example for data privacy regulations across the world. After the Facebook and Equifax debacles over the past year, data management practices have come under scrutiny. There hasn’t been a real effort by the United States government to put regulations on personal data collecting and sharing, but it has come under the public eye and is now a part of the mainstream discussion.