Since the European Union (EU) enacted the Data Protection Directive in 1995, extraction of personal data from the internet has changed drastically. To stay current with these developments, the EU has constructed a strict set of guidelines for the protection of personal data across all 28 member states: The General Data Protection Regulation (GDPR).
The EU’s GDPR informational website lists key changes that the GDPR will mandate and how they differentiate from the pre-existing set of laws. The greatest change is an increased territorial scope, which broadens the GDPR scope of jurisdiction to the entire EU and any company that does business with an organization that resides in the EU. Those who do not to abide by the GDPR can be fined up to 4% of their annual global turnover, or 20 million euros; whichever is greater. This is the maximum fine, however, there are lower-level, or tiered, fines imposed for lesser violations.
New Rules Regarding Data Subject Rights
The rules mandated by the GDPR aim to protect the information of data subjects, or individuals who are the subjects of personal data. Data controllers determine the reason why and the way in which personal data is or will be processed, and a data controller can be an individual or a group of people. A data processor is a person who processes personal data on behalf of the data controller (but is not an employee of the data controller).
The following are six of the key changes to data protection directives under GDPR:
1. Mandatory breach notifications within 72 hours for those at high risk.
2. Right to access, or obtain, personal information from data controllers (i.e., if personal data is being processed, and if so, where and for what purpose.).
3. Right to be forgotten, or, for personal information to be “forgotten,” or at least be erased and made unavailable for future use.
4. Right to data portability, or the right to receive personal data that is being used and to transmit it to another controller.
5. Privacy by design, or the requirement for controllers to retain and process only data that is absolutely necessary, and to limit access to personal data to those processing it.
6. Data Protection Officers will no longer be the recipients of various processing notifications; instead, there will be an internal record-keeping system that allows for a more synchronous regulation among the states (other than specific cases and large-scale data processing operations).
One of the most interesting changes that the GDPR has introduced is consent. The request for consent must now be accessible in a clear and easily attainable form — something nearly unheard of when it comes to data protection. EUGDPR.org states, “It must be as easy to withdraw consent as it is to give it.”
This approach is fundamental for the concept of individual data protection — the issue with data protection as it is today, is the fact that many data subjects do not understand or realize just how much of their personal data is sold or shared across the internet. By assembling the conditions for consent to be understandable to the public, it gives data subjects the choice of how and when their data will be shared. Although one could argue that the right to consent has always been available, the clarity of phrasing has not always been as such.
The transparency of data processing is the greatest and most important development — one that truly encompasses data privacy as a basic human right.
Is Your U.S. Corporation Exempt from GDPR?
If you think because your organization is located in the U.S. that you are exempt from the GDPR’s new rules, you are sorely mistaken. (see Editor’s Note for your best next steps!)
If your company collects any form of personal data from a subject within the EU, you must follow the guidelines of the GDPR. The new guidelines are neither specific to the country in which your organization resides, nor the location of the company from which you are gathering data.
The GDPR is set to create a true form of data privacy for the consumer, therefore, as long as the data your company is collecting is from a person who resides within the EU, you must follow suit. Though you can assume that if you are working with a company within the EU, they are likely to be collecting data from consumers within the EU, it is more sensible to err on the side of caution and double check the origins of all personal information your company gathers.
The GDPR goes into effect May 25, 2018 and your organization needs to be prepared to adhere to it. We want you to be ready, too, so we’re holding a GDPR-readiness webinar and we want you to join us. Aberdeen VP & Research Fellow Derek Brink and Oracle’s Security Business Development Director Alessandro Vallega are hosting Ready or Not, GDPR is Here: What You Should Be Doing Next. Register now to ensure you’re in the know and to avoid the serious monetary and reputation penalties you will face if you fail to adhere to this new school of compliance.