With the implementation of the EU’s General Data Protection Regulation on May 25th, the “business as usual” term takes on a different meaning. The complex, revolutionary law gives way to new methods of conducting business in almost all areas of operations such as marketing, cybersecurity, technology, and human resources. According to a survey by PwC, 92% of all US-based firms consider the preparation for GDPR compliance as their top priority.
GDPR marks the first-ever international security and privacy law. It details new rules, whereby 99 of these regulations safeguard EU citizen data. It has the following provisions:
- Widens the scope of “personal data”;
- Gives European Union citizens full rights over all their personal data such as the “right to be forgotten”;
- Formulates strict prerequisites for how companies go about the processing, storing and sharing of citizen data;
- Creates rules for safeguarding data belonging to EU citizens;
- Sets both guidelines and timelines for reacting to and reporting any data breach;
- Restricts the gathering and processing of given types of data;
- Needs accountability for data theft and security breaches;
- Calls for the need for privacy protections to be formulated into business activities, and
- Puts in place noncompliance penalties, including 4% of the firm’s global yearly revenue or a maximum €20 million.
Why is GDPR Important?
In the current digital age, data helps define us. This situation continues to intensify as the world becomes a global village. The EU took up the GDPR back in 2016 in a bid to address the increasing concerns regarding how citizens control their data, to harmonize the different laws and directives in all the EU’s 28 member nations, and to safeguard European citizens from the impending destructive outcomes of both identity and data theft.
Does the Regulation Apply to Me?
Every individual and organization conducting with EU citizens, regardless of whether they are inside the EU or not, have to be GDPR compliant by May 25th. In case your enterprise collects, synthesizes, or stores personal details regarding EU citizens, particularly those residing in the EU, then the GDPR applies to you. What’s more, organizations that contract or employ EU citizens also have to satisfy GDPR requirements.
Given types of individual data, “special categories” have additional restrictions. The GDPR broadened the personal data definition to include criminal data, health, biometric, and genetic, as well as details regarding political affiliation, sexual orientation, union membership, religious beliefs, race, and gender. Bear in mind that “anonymized” data, or what has been made anonymous, or what is permanently encrypted to prevent the owner from being identified, is not bound by the GDPR. The reason is that the GDPR’s main objective is safeguarding individuals and their privacy.
Power to the People
After taking possession of the European Union (EU) citizen ’s data, you will have to deal with it with absolute care. Under this regulation, EU citizens boast individual rights associated with using their own individual information, which could complicate the compliance process unless you process, tag, and track it appropriately.
It is the right of the EU citizens to change their mind at any time, even after consenting to you using, sharing, or storing their data. As such, they can retract their approval. For instance:
- The “right to erasure” provision stipulates that, if they request you to erase their details from your database, you have to do so “without undue delay.”
- The “data portability” provision allows them to request their data to be given back to them.
- The “right to be forgotten” provision, on the other hand, can pose trouble, particularly to parties without a data tracking system.
Keeping it Safe
Information and privacy go hand-in-hand, and the GDPR comes with particular requirements for protecting EU citizen data, as well as what your business ought to do in case of any breach. In case of any breach to your database, EU citizens’ data may be largely compromised. Such cases could lead to severe penalties that could translate to more fines due to non-compliance.
Under GDPR, privacy and security design are necessary. They ought to be integrated into your technology systems and operational processes to allow it to take place automatically. In case your business is hacked and the unsecured data is exposed, the GDPR calls for the need to inform authorities, as well as notify all the parties affected, within 72 hours.
The ‘Zen’ Mind of Readiness
For most organizations, implementing GDPR will need a considerable duration of effort, resources and time. Nonetheless, you need to show that you will comply with this extensive, advanced regulation by May 25th in a bid to continue carrying out business with European Union citizens and avoid huge fines.
According to a given report, two thirds of enterprises anticipate that they will require changing their global enterprise approaches to be GDPR compliant. Over half of these say that they expect to be hit with huge fines for being non-compliant.
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.