What Other Countries Need to Know about the European Privacy Laws and Policies / GDPR
What Companies Outside of the European Union Need to Know about the European Privacy Laws and Policies/GDPR
On 25th May 2018, the European General Data Protection Regulation (GDPR) will come into force and non-compliance may cost companies a hefty amount. It will change the way businesses and public sector organisations handle the information of customers.
The premise of the regulation is to protect individuals’ personal data and privacy for transactions that occur within European Union (EU) member states. It also regulates the exchange of personal data outside of the EU.
One thing companies outside of the EU need to take note of is that the General Data Protection Regulation will apply equally to all businesses that market to or do business with European Union member states, regardless of where in the world that business is located.
Here are some things that you need to know about the GDPR:
1. What is the General Data Protection Regulation?
The GDPR is formed to protect the personal data of the citizens of the EU and how they are collected, stored, processed, used, and even destroyed if it’s not going to be used anymore. The legislation was created to give the citizens control over their personal data.
2. What is Covered?
Personal data includes IP addresses, location data, and online identifiers. Sensitive personal data includes biometric and genetic data. Other points include parental consent necessary for processing children’s data, cross-border data transfer, how to prevent data breaches, and strict guidelines for data breach notification when they do occur.
It also includes information routinely requested by websites, including IP and email addresses, physical device information such as a computer’s MAC address, individuals’ home addresses, dates of birth, and online financial information including online transaction histories.
“However, that’s not all the GDPR is intended to safeguard. The legislation also protects user-generated data such as social media posts (including individual tweets and Facebook updates), as well as personal images uploaded to any website, including those that do not feature the likeness of the person who uploaded the image. The GDPR also covers medical records and other uniquely personal information commonly transmitted online.
Essentially, the GDPR protects any and all personal user data across virtually every conceivable online platform.” 2
Opt-in rather than Opt-out
Under the GDPR, companies have to switch from an opt-out approach to an opt-in approach. That is – rather than giving users an option to opt-out of having their data collected and stored, users must give permission to have their data collected and used. This applies to newsletters and other platforms where their data may be collected.
European users have the legal right to question or appeal how their personal information is presented by algorithms such as those used by search businesses and the likes.
3. Who will be affected and what does it mean for businesses outside the EU?
The GDPR does not only apply to companies in the EU but also to companies outside of the EU that market goods or services to EU citizens. It also applies to companies who either control or process data regarding an EU citizen.
It’s important to note that under GDPR, both processors and controllers are accountable for the handling of EU citizens’ personal data (processors – process data on behalf of another company which are the controllers).
All companies that fall under those categories must be compliant with all GDPR requirements. That is why it is important – even for non-EU companies – to understand and prepare for this.
The Information Commissioner’s Office of the UK has the following steps on how to prepare for the GDPR:
Here is one from the Australian Government:
4. Compliance (or failure of)
Within 72 hours of detection of a data breach, the data controllers are the ones responsible to report any and all possible data breaches to the relevant authorities.
“The first step of the process is a formal written warning, which can be issued to a company even in cases of accidental violations; ignorance of the law is not a valid excuse for breaking it. The next stage of punitive actions can force companies in violation of the GDPR to undergo regular periodic data integrity audits to ensure compliance, which also means surrendering access to potentially sensitive, confidential, or proprietary information to an auditor.
For companies that still haven’t taken the hint, firms that are found to have breached or violated any part of the legislative package after initial sanctions can be fined up to €20 million (approximately $23.5 million USD) or 4% of a company’s worldwide turnover, whichever is greater.” 3, 4
5. What should we do in the data area to prepare now?
One of the key takeaways from this is that it is important for companies – EU and non-EU – to start implementing processes that ensure proper and accurate recording of all data-related items. Here are some suggested steps:
- Perform a data audit of all personal data held
- Record on each item of personal data where and when it was received – and associated consent/opt ins to allow use of this data.
- Ensure all personal data on an individual can be found if requested , even if data is spread across multiple databases or data stores (e.g. CRM in the cloud).
- Delete any personal data where there is no consent to use the data.
There are benefits to an organisation in performing the steps above. Some of these are:
- Creating a data dictionary of where all data including personal data is stored – useful for company-wide information on available data.
- Linking together data on an individual – making it easier to recognize and link together products and services used by individual customers.
We hope you found this article interesting.
BusinessMinds have been helping organisations in the EU and internationally to prepare for the GDPR. Get in touch to find out more.
- Image link: http://www.consilium.europa.eu/en/infographics/data-protection-regulation-infographics/
- Link: https://www.wordstream.com/blog/ws/2017/09/28/eu-gdpr
- From 10 Things we need to know about the European GDPR by Dan Shewan https://www.wordstream.com/blog/ws/2017/09/28/eu-gdpr