Data Privacy and GDPR
Posted by Timothy Platt on Jul 22, 2017
GDPR and Data Privacy
The GDPR is coming! What’s the GDPR? It’s the General Data Protection Regulation. It is a tough new standard for data privacy – protection for personal data such as citizen names, email addresses, home addresses, etc. It’s a new regulation that attempts to unify and strengthen personal data protection for all individuals within the European Union (EU). Just because your business is US based doesn’t mean it won’t apply – because it also addresses the export of data outside of the EU. Further, it’s intended to protect and empower the data privacy of all EU citizens. That’s a sizable number of countries and people. And lastly, it’s expected to bring a major shift in the way organizations handle private data. Expect ripple effects and requirements for improved data privacy in the US. And shouldn’t we be doing a better job at that regardless?
How does the GDPR impact businesses?
There’s 3 key entities defined by the GDPR: the data controller (the organization that collects data from EU residents), the processor (organization that processes data on behalf of data controller such as cloud service providers), and lastly, the data subject (person). The data subject is any person located within the EU. Take a look at that last item again – the GDPR will apply to your business if you are collecting private data on EU citizens, even if your company is US based.
The immediate ramification is that if you currently do business, or wish to do business with EU consumers, you’ll need to meet the requirements of this regulation. If you don’t, you could be subject to audits and fines.
But secondly, we expect that this tough new level of data privacy will have ripple effects on the US: EU based companies with high data privacy standards will have a competitive advantage over US companies, and given the comparatively lax state of data privacy in the US, you can expect additional requirements to come in the future through various channels.
But lastly, don’t we owe consumers a higher level of data privacy than what is common practice now? Breaches of information are numerous and have long term impacts. Handling data privacy in a thorough fashion can be a competitive advantage for your business, and can minimize the damage and embarrassment when data breaches do occur.
Better data privacy is better for business.
What’s considered personal data?
The GDPR scope is very broad, including:
- Citizen Name
- Location, such as home address
- Identifiers such as passport number, driver’s license numbers, etc.
- IP addresses, cookies, and related computer and network information that can be used to identify an individual
- Health and genetic data
- Racial and ethnic data
- Political affiliation
- And more…
What does the GDPR require?
The WikiPedia page on GDPR has a great summary, and a very easy to navigate version of the complete GDPR can be found here. There are 160 regulations that cover how to properly collect, use, and store private data. The high level points are described below.
Rights for citizens:
- Right of Access – Citizens must be able to understand what data is being collected, and how.
- Right to Rectification – Citizens must be able to correct or complete missing information quickly and easily.
- Right to Data Portability – Citizens must be able to transfer data from one company to another, upon request.
- Right to Data Erasure – Companies must delete private data upon request.
Additional requirements on companies:
- Data Protection Officer (DPO) – The company must employ someone with the responsibility and strategic authority to ensure compliance with GDPR, a “Data Protection Officer”. This person must have expert knowledge of data protection law.
- Data breaches must be reported to supervisors and authorities within 72 hours of detection.
- Reasonable data protection mechanisms must be implemented. Data protection by design and default means that data privacy controls must be built in from the start.
- Assessments must be performed to find and mitigate risks to data privacy.
One last point, private data that is encrypted is still considered to be private data. The protections needed for private data go far beyond encryption. Encryption is just the start.
When does GDPR take effect?
While the regulation was adopted in April 2016, a transition period is underway (from the previous data protection directive), and the GDPR will be fully enforceable in May 25, 2018.
Next Steps on Data Privacy
There’s a lot to consider regarding the GDPR. Does it impact your company now? How about in the future? The first step is to understand the full impact and implement a prioritized plan to meet the requirements. Maybe GDPR doesn’t apply to your small business, but you want to protect your consumer data thoroughly regardless. That’s where we can help. Contact us now with your data privacy concerns and questions. We can advise, plan, and assist to ensure you can meet your data privacy goals. Please reach out if we can be of help to your company.
The Orlando IT Company that Cares About Your Small Business
Virtual Operations is the Orlando IT company that cares about your small business. The business consultant you choose can make all the difference. Our Managed IT Service offering provides the expertise and proactive care required to ensure your technology works for you. We are Orlando’s best small business consultants, and that is the advantage that Virtual Operations provides.