The General Data Protection Regulation (GDPR) was passed by the EU in 2016, establishing new rules for how companies manage and share consumer data. It was introduced to ensure that all data protection laws are applied uniformly throughout EU member countries. With GDPR, the definition of personal data has been expanded to include genetic, biometric (facial recognition and finger prints), location data, pseudonymized data, and online identifiers. The regulations also impose stricter conditions about collecting sensitive data – race, religion, political affiliation, sexual orientation, health, trade union membership, and criminal conviction. A continuous process that will be evaluated and adjusted over time, GDPR is all about forcing transparency and accountability.
GDPR requires more transparency regarding what a company is doing with personal data. Organizations must detail why data is being collected and if it will be used to create behavioral profiles. There is also a new 72-hour breach reporting requirement. Depending on the type of breach, either an EU regulator or data subjects themselves will have to be notified.
Stronger consumer consent is required with a focus on ensuring that users know, understand, and consent to the data being collected about them. Consent must be active, affirmative action versus the current models of passive acceptance. GDPR provides consumers the opportunity to opt-in to data use instead of the traditional inconvenience to opt-out or switch off defaults of consent. Permission must be gained for each distinct use of consumer data and GDPR establishes that this explicit and informed consent isn’t hidden away in small print. Rather, online firms need to clearly explain what will be done with the information collected.
Another component of GDPR is the “right to be forgotten” which states people may have their data deleted at any time if it is no longer relevant. If data was collected under a consent model, the consumer may withdraw his consent and require data to be deleted. Furthermore, consumers have the right to obtain the data collected about them, correct any inaccuracies, and limit the use of that data. They also have the right to transfer their data between networks.
GDPR protects individuals in the 28 EU member countries even if the data is collected or processed elsewhere. Any (U.S.) company that has a Web presence and that markets products on the Web can be impacted. The geographic scope of the law includes any business that collects personal data or behavioral information from someone in an EU member country - a financial transaction doesn’t have to take place for the law to apply. GDPR also applies to any company that accepts EU currency and any organization that posts localized Web content – uses references to EU consumers or presents information in EU member country languages (other than English).
There will be higher fines for noncompliance and breaches. Maximum fines per violation are 4% of the company’s global turnover or $20 million, whichever is larger. It is unlikely, however, that regulators will levy fines early on. There will exist a grace period as regulators and organizations work through an understanding of the regulations. The chances of fines will increase as time goes on and fines will not only be levied for major data breaches. They could also result from an individual whose rights were not upheld. Under-reporting and concealing issues are both serious infractions and, ultimately, regulators could suspend data transfers to third countries for continue noncompliance.
Breaches will be costlier, and a wider net will be cast for liability. New regulations apply to all controllers and processors of data such as cloud service providers. Both will be equally liable for data breaches. As a result, data handling is not only a security risk, it is now a business risk as well. It will be important that all a business’ contractors, suppliers, and processes are compliant with GDPR regulations. User access controls are addressed with tougher security measures called for as many breaches begin internally. There are also concerns regarding hackers and GDPR related extortion where a ransom could be demanded and, if not paid, stolen data sold.
Global companies have been discretely making updates and changes to prepare for the May 25, 2018 GDPR deadline to be following the regulations that require companies to protect the personal data and privacy of people in the EU. GDPR tightens up regulations for transparency, disclosure and process, demanding that companies must be more scrupulous about what data they collect, how they collect it, and what they do with it.
Is this something that could effect your business? Wondering if your marketing fall safely within other privacy and compliance best practices? Contact us today for a free 30-minute strategy consult.