General Data Protection Regulation (GDPR) will impact you.
It is almost 2018 and most people and business have heard about data – big data, small data, analytics, data privacy, data security and so on. Governments and organizations around the world have placed a large focus on data protection to provide for laws and privacy of both customer information and private personal information. Canada has various rules and regulations around this with antispam laws that came in earlier this year. However, many of the large global technology companies have been the focus for governments worldwide to tackle how they handle and protect customer privacy. Microsoft, Google, and others have been in sharp focus for the European Union and this is definitely part of why the GDPR or General Data Protection Regulation came about and comes into effect in May 2018.
What is GDPR?
The GDPR is a regulation from the European Parliament, the Council of EU, and the EC or European Commission that provides and enforces better data protection for any EU citizen and individual.
- European Union Citizen Data Privacy
- Regulation with Penalties (2%-4% of global revenue)
- Enforced beginning May 25, 2018
- The most thorough data privacy compliance regime
- Requires organizations to know what EU citizen PII (personally identifiable information) they have and how they are using it
Who does the GDPR affect?
The GDPR applies to organizations located within the EU but it will also apply to organizations located outside of the EU. This is important for any business doing or intending to do business in the EU but it also should give pause to any company doing business that may or does export data outside of Europe. So if they provide goods or services to of European citizens, then this directive applies to them. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
“Over 5 million data records are lost or stolen every day”
At the end of the day, it is designed to give regular citizens and folks control over where and how their personal data is used, stored and ultimately deleted. The GDPR also simplifies the regulations and rules for these businesses across Europe by unifying the various laws across all the member countries.
Penalties for non-compliance
This directive implements a very strict protection and compliance requirement for data protection and comes with severe penalties and fines. With the exponential growth in data and the digital transformation taking place in most industries and economies, the concept of Digital Rights rises to the forefront.
“Arguably the biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.”
Companies and organizations can be fined up to 4% of their annual income or $30 Million Canadian dollars as a maximum, but that is likely reserved for the most serious infringements. Such a breach would be not notifying the authorities and data subjects of such a breach. Some such examples recently are Uber and Equifax.
“The average cost of a single data breach in 2020 will exceed $150 million, as more business infrastructure gets connected” (juniperresearch.com)
Of note – this applies to a customer or private data regardless of where it is processed, held or located – for example, on-premise, in the cloud or portable mobile devices.
Let’s be honest with ourselves. We don’t often protect ourselves and personal data, opting for simplicity and path of least resistance. With our personal information readily available for any smart hacker with a bit of time, it can be easily had. Whether you are fully engaged in Social Media or not, technology as a whole collects all sorts of data on ordinary citizens. Where you make purchases, fill up gas, whom you talk with or email via your mobile devices, it is all tracked. And when signing for things or signing up for services, does anyone fully read the T&C or terms and conditions? Well, Consent is a prominent part of this regulation and directive. Any and all legal agreements, T&C’s and what not need to be spelled out in clear, simple to understand and read the language. It must be via an easily accessible form that also allows for Consent to be clear and distinguishable.
Lastly, citizens must have the right to easily withdraw consent and for that right to be visible and prominently displayed or communicated. Information related to a citizen or person is considered a ‘Data Subject’. Types of data that matters are data that can be used to directly or indirectly identify the person. Information or date such as a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
Rights & Notifications
There are a number of inherent rights that are now granted or further enforced for the subjects of this data. These include rights such as:
- Data Breach Notification – 72 hours
- Rights to Access – individuals can see their own data
- Rights to be Forgotten – EU Citizens have this right
- Data Portability
- Privacy by Design – encryption of data at rest
- Data Protection Officers
Suffice it to say, organizations are now much more obligated to provide these protections and ultimately, it is in their best interests. But at least individuals have some path to resolution and remediation.
The regulations that are set to take effect in May of next year that involve data breaches primarily relate to the notifications of companies that have been breached. “Data breaches which may pose a risk to individuals must be notified to the DPA within 72 hours and to affected individuals without undue delay. ”
A few links to some more resources and information, including videos, analysis, and articles.
Reach out to Cadeon to have a conversation on what you can do to ensure you aren’t impacted and get ready for this. firstname.lastname@example.org or 403-475-2494.