Bolstered consumer consent. The “right to be forgotten.” 72-hour breach reporting. Hefty fine schedules. These aspects of the General Data Protection Regulation from the European Union are now in effect, as of May 25, 2018. As the most significant change to data security law in Europe in two decades, this new set of rules is getting a huge amount of attention in security and compliance circles.
Companies that are based in the EU must abide by the law, as must multinational firms that do business in EU nations. US-based businesses that do not have any operations in the EU may think that they are not impacted by the GDPR, but that is actually not the case – as is true for any companies from other non-EU countries. No matter where you are on the planet, you have to be concerned with the issue of GDPR compliance if you have a website and collect user information, since you could at times be handling the data of EU citizens.
Do you really have to follow this EU law?
Some businesses may think that a regulation written across the ocean is insufficient for them to change the way they do business, instead taking their chances that they will not get a fine. However, companies that take this approach should be aware of the size of fines for noncompliance. While fines are in two tiers, both tiers involve substantial penalties: the most severe ones are at the higher amount of 20 million Euros (approximately 23.60 million US dollars) or 4% of yearly worldwide revenue, and the lower ones are at half of that, the higher amount of 10 million Euros (11.80 million USD) or 2% of annual global revenue. Breaches due to violations that the EU lawmakers determined were the most critical ones related to personal data security can get the maximum, higher-tier fine. The important provisions on data security as it relates to these two two tiers of fines are in Articles 5 and 32, as discussed in greater detail by international business law firm Pinsent Masons.
Beyond the fines, there are also numerous other costs associated with being fined – such as the impact of bad publicity and lawsuits. For businesses to be prudent and to ensure their ongoing stability, GDPR compliance is essential.
Organizations that are not within the European Union can look to the GDPR itself to verify their need for compliance. Within the regulation’s Article 3, it states that you have to meet the GDPR when your organization gathers behavioral or personal data from a citizen of a European Union nation. Article 3 stipulates that data subjects (protected individuals) must be in the EU when that data is gathered. Also, to be clear, no financial transaction must take place in order for protections to be needed. Collection of personally identifiable information (PII), which the GDPR calls personal data, necessitates protecting it per the regulation’s guidelines.
While it is clear that non-EU companies must follow the GDPR, the core point that currently remains unanswered is whether a similar data protection law might be passed in the United States. Despite the costs and frustrations that arise from a new form of compliance, some business leaders see the law as a sign of progress. FollowAnalytics CEO Samir Addamine called passage of the GDPR the “rare time that the EU is… in advance of the rest of the world.”
Basics of the GDPR
It is now necessary for organizations to get consent from EU citizens in order to gather their data. When getting the consent of these users, it is necessary for the contract to be straightforward and easy to access; also, the reason the data processing is taking place should be given within the consent terms. The way that the terms are written should be highly readable, and anyone who signs an agreement should be able to cancel it just as simply as they initiate it. It is also necessary to notify your EU users in a maximum of 72 hours if a data breach occurs that may have impacted their records.
Additionally, the GDPR gives every citizen of the EU the right to be forgotten – the right to ask that their information be cleared out of a business’s systems if the purpose for which it was gathered is no longer relevant or if the individual wants to take back their consent.
The broad applications of the GDPR are evident through a simple example from Jeremy Goldman of creative consultancy the Firebrand Group: if you closed a social media account, the company would have to remove all your data. There are exceptions to this rule: it is not your right to have the data removed if its preservation is for the public good, as when the nature of the data is somehow newsworthy. Another restriction to this aspect of the regulation is that you cannot get records removed when their removal threatens freedom of expression (the broader category that includes freedom of speech).
Where should I focus first?
When it comes to taking on new standards and implementing the parameters of new forms of compliance, it helps to have an initial point of focus. Otherwise the complexity of legislation can feel overwhelming and deter forward motion toward GDPR compliance by international companies (and again, that means all countries with websites that might collect the personal data of EU citizens).
Perhaps the best place to start is with the need (mentioned above) to get a clear, simply stated, and straightforward agreement from users in order to collect their information. Companies may wonder specifically what it means for consent to be clear or easily readable, since it is difficult to get completely away from legal terminology and concepts. Consent must “involve a conscious and informed act by the individual,” noted Compliancejunction. It is no longer acceptable in these situations to have a prechecked checkbox, for instance. The terms must note the data controller (the organization that will be responsible for the records) as well as any outside firms that will be handling the information. While consent has not required as much intentional transparency in the past, as of May 25, the obtaining of consent has to be achieved through an unambiguous action that is distinct from signing the general user agreement.
Within the General Data Protection Regulation, citizens of the European Union nations are also granted the right to get a writeup covering all the data the firm has collected from them for free. They can also get, at no cost, the locations in which the data is being stored or processed, along with the reason that it is being handled.
GDPR compliance for your business
If you fell behind on GDPR compliance, analysts suggest many firms are in that position. A Gartner study forecast that more than half of companies regulated by the GDPR will not have reached complete compliance even by the end of 2018. Since the notion of territorial scope (i.e., impact beyond the confines of the EU) is so critical to the GDPR and the way it updates European data law, businesses in nations outside the European Union should “not be surprised to find that they are a particular target of data regulators,” noted the Workplace Privacy, Data Management & Security Report.
Are you concerned about the impact of the Global Data Protection Regulation on your business? At Total Server Solutions, through our singular mission of providing you with the finest hosted services and the most robust infrastructure available anywhere, we can help you build a system that meets your needs while also achieving and maintaining compliance with the GDPR. See our customer testimonials.