The European Union’s General Data Protection Regulation, or GDPR, will change area of business from cybersecurity, human resource and market to technology. The law is such as game changer that 92 percent of U.S. companies consider making GDPR compliance at the top of their to-do list, according to a PWC survey.
With the GDPR becoming law on May 25, you must answer one question: Is your enterprise ready for GDPR?
GDPR, the first global security and privacy law, has 99 rules to protect citizens’ data in the EU. Some of the provisions in the law include, but are not limited to:
- Give EU citizens the right over the personal data. These rights include the right to be forgotten.
- Broaden the scope of the term “personal data”;
- Widen the definition of “personal data.”
- Establish privacy protections such as securing EU citizen data.
- Create stringent requirements for how citizen data is shared, stored and processed.
- Create guidelines and timelines for companies report and respond to data breaches.
- Restrict the process and collection of certain data. For instance, data collected from minors would be specific type of data.
- Set accountability requirements for all data theft and security breaches.
- Require companies to set privacy protections included in business operations.
- Impose noncompliance penalties such as up to €20 million. It also includes 4 percent of the company’s worldwide annual revenues.
GDPR Created to Address Data Protection
In 2016, the European Commission adopted the GDPR to address three growing issues in ever-changing information age. The first issue was to help citizens’ control their data. The Commission also wanted to protect citizens from devastating consequences of identity and data theft. Also, the Commission wanted to synchronize the various laws and directives across all 28 EU’s member states.
How GDPR Applies to You
GDPR compliance is required. This does not matter if your company is not located inside the EU. As long as you are doing business with an EU citizen, you must show compliance with GDPR by May 25. It also applies if you have a business that contracts with or employs an EU citizen. This means if your business collects, stores or processes personal information about EU citizens, GDPR applies to you.
According to the new law, personal data includes any identifying information like name, birth date, email address and phone numbers.
Specific types of personal data are treated differently and have even more restrictions. The certain data in special categories include sexual orientation, race, heath and criminal data. In addition to personal data, you must be aware of “anonymized” data. This is encrypted data which prevents the owner from being identified.
Any personal data collected on paper must be kept in a file cabinet and organized in a specific way such as alphabetical order.
GDPR Gives EU Citizens the Power
According to GDPR, all personal information you obtain must be handled with care. Compliance requires you to tag, process and track personal information properly. GDPR also gives EU citizens the rights to you collecting information. For instance, before collecting their personal information, GDPR requires you ask their name. You must also inform them exactly why and how you will use their personal information. The new law gives them the right to opt-in and give their permission. If this does not happen, you cannot collect, store or process any of their data.
Do not rely on just issuing privacy notice to your customers. According to GDPR, your current privacy notices are not good enough. The new law requires your privacy notices be simple, clear and concise. All customers should be able to read the notice with understanding.
GDPR gives EU citizens the right to revoke consent and have their information returned to them. For instance, data portability is a provision in the law that allows citizen to ask for their personal information. The law also allows them to request you erase their personal information from your database. You must do without delay.
This means you must have a way to remove and erase information from your database or be in noncompliance.
GDPR also requires you to prove that you are in compliance. This requires you to have someone in your organization who knows your business components, compliance, data protection and security.
Keep Personal Information Safe
Privacy and information security go hand-in-hand. GDPR makes sure that you keep data safe and that you have policies in place in case of a breach. To ensure these things happen, you will pay a hefty fine if your database is compromised or hacked. Additional apply if there is a breach and you were in non-compliance.
To keep EU citizens’ data safe, you must have a privacy and security design. The operational processes and technology systems must have the design embedded in them.
In addition to having a design you must:
- Continually check that your systems are functioning properly in case of a breach.
- Train all employees regarding your security and privacy measures according to GDPR.
- Help third-party contractors secure their personal data. Regularly test and evaluate information security measures.
- Show that you are in GDPR compliance.
- Regularly evaluate and test your security and privacy measures.
In case of a breach, you must inform all affected consumers within a 72-hour period. A breach includes any unprotected data being exposed. If you have done your work to comply, you may not have to worry about data breach.
For more information, visit ReciprocityLabs.com