The biggest overhaul of European data privacy rules in 20 years takes effect on May 25, 2018. While the upcoming General Data Protection Regulation (GDPR) is for the European Union and not directly impacting U.S. law, the rules are so far-reaching that it’s worth reviewing because they will impact companies across the pond as well.
So what is the GDPR exactly? The GDPR is a framework for privacy laws across the entire European Union that offers greater protection and control of personal data to its citizens and residents. The rule set is quite large and complicated, but below we’ve outlined some of the key elements.
Key Elements of the GDPR
Scope. The GDPR covers all personal data, which is considered to be any information relating to someone, whether personal, private or professional. According to the European Commission, “it can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
The GDPR applies to companies that collect and process the personal data of residents of the E.U., regardless of the business location. It includes all companies that are monitoring behavior or offering goods and services to E.U. citizens, even if the business does not have operations or assets in the E.U. This is the biggest change to former regulation, and certainly the most far reaching and controversial.
Rights of Consent, Access, Erasure and Portability. In addition to the requirements the GDPR places on companies that collect and process information, it also gives individuals much greater access and control over the data that’s held about them.
Business must now receive consent from individuals to process data in many situations. Consent for a business to process data must be presented clearly and plainly to individuals, and the specific purpose for data processing must be included with the consent. Individuals must also be given an easy way to withdraw their consent, should they choose. The GDPR sets the default age for giving valid consent at 16, but individual countries can choose to reduce the age to as low as 13.
Everyone has the right to see all the information a company has on them, and it must be provided to consumers within 30 days of request in a standard electronic format. People can also have data erased if consent is withdrawn or other conditions are met. The regulation also gives residents the right to transfer their information from one electronic processing system to another
Data Protection Officer (DPR). Organizations that process or store large amounts of personal data – including that of their employees – must appoint a DPR. DPRs are responsible for educating the company and employees on compliance and training any staff involved in data processing. They are also tasked with monitoring performance, conducting audits and maintaining comprehensive records of all data processing conducted by the company and any third-party data processors the business uses. It is expected that the DPR could require hiring additional resources for many companies, so it is another controversial element to the regulation.
Data Breaches. Companies are required to report breaches within 72 hours to their supervisory authority (SA), an independent establishment that each country designates to hear and investigate complaints and enforce compliance. In most cases, notifications must also be sent to any affected individuals. If, however, the data exposure is unlikely to result in “a risk to the rights and freedoms of individuals,” the business is exempt from notification. The breach can be considered to be without risk if the data is unintelligible (e.g., through encryption) or the organization has taken steps to ensure a threat will not materialize.
Penalties. There is a tiered approach to GDPR sanctions, depending on the severity and type of violations. First and unintentional abuses will usually result in a written warning. But for the most serious breaches, businesses can be fined up to 4% of their total annual revenue or €20M ($24M), whichever is greater. It is important to note that what the GDPR calls data controllers and processors are both liable, so third party vendors that process data on behalf of companies are not exempt from sanctions.
U.S. Data Regulations in Light of the GDPR
The U.S. has its own numerous regulations as it pertains to specific sets of data and privacy — HIPAA, PCI and others, which are often reflective of the type of user data collected and stored by various industries from healthcare to finance. Compared to the GDPR, current regulations in the U.S. are not nearly as expansive or comprehensive. While regulations passed in other countries can be easy to gloss over, this one is worth following, as regulations passed elsewhere can often be a preview of what may come to pass here in the future.