Many in America have likely not heard of GDPR, the new data privacy regulation from the EU that will have significant effects on both sides of the Atlantic and far beyond.
To give it its full name, the General Data Protection Regulation was approved in Europe on April 14, 2016 and will be fully operational in less than a year, May 25, 2018 to be precise.
You should care because being out of compliance with GDPR could cost a company up to 4 percent of revenues or €20 million whichever is greater. And be aware that of late, the EU has imposed swingeing fines on companies it believes behave as bad actors.
GDPR affects more than European companies—any company wanting to do business in the EU needs to be compliant. Time to get ready.
The EU has a website you can access here. Some of the major points covered by the regulation are summarized below.
What is GDPR?
GDPR is designed to protect personal data, which can include typical personal or account data that identifies a person. Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, and email address, bank details, posts on social networking websites, medical information, or a computer IP address.
In short, if you are holding electronic records that identify individuals then GDPR applies. That wold be pretty much everyone.
Who implements and administers GDPR?
That would be the Data Protection Officer (DPO) in your company. It’s not strictly required to have a DPO, it’s just treated as a really good idea and given the stakes of getting it wrong, hiring a DPO seems like a brainless decision. Again according to the EU site,
DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Article 37). If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.
A lot revolves around the idea of an individual giving consent for an entity to hold and use certain identifying data and frankly, it’s about time. As the EU points out,
So opt-in as opposed to simple unambiguous consent will be required in more places. Organizations that develop and hold mailing lists should already be familiar with the generally accepted good practice of double opt-in. For example, if you sign up for one of diginomica’s lists, you must complete the double opt-in before we can send you content via email.
The conditions for consent have been strengthened, as companies will no longer be able to utilize long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached…
There are rules and provisions for dealing with people who are underage but perhaps the greatest risk businesses face will be in the form of data breeches, those times when hackers penetrate your security and make off with lots of identifying information from customer accounts.
Breeches have to be reported to the authority administering GDPR within 72 hours and to individuals “without undue delay”. This leaves one wondering what delay is reasonable if a million names and other identifying information are purloined. One of our contributors has only just received notification of a potential pwning of an account breech at dailymotion that occurred in 2016. My guess is a delay of some 9 months (as in this case) will be seen as unreasonable under GDPR
The devil and the details
The details can get foggy to say the least and some aspects of the rules may not yet be fully baked. For example, there are three drafts of text on the subject of whether or not a DPO should be hired by any business—Commission text, Parliament text, and Council text. As the EU site explains,
Parliament adds that a DPO should be mandatory for all enterprises that process ’Special categories’ of data, including information such as health data or religious and political beliefs. The Commission text requires any enterprise over 250 employees, while the Parliament text calls for those processing the personal data of over 5000 data subjects [aka humans] in any 12 month period.
This is par for the course. Any disruptive innovation goes through a process beginning when it is interesting but not terribly threatening to the economy over all. At some point the innovation becomes a thing we all depend upon and at that point regulation emerges. Such is the case with the age of information and telecommunications. A few decades ago data processing was seen as an innocuous activity that saved time and money and made information available on a broader scale.
At some point we decided we couldn’t live without data. It became valuable, it told us things wee didn’t know, and it used statistics so well that it began replacing gut instinct. At that point data became so necessary a part of modern life that people began stealing it or disrupting it so that others could not use it.
At the same time, data and data processing democratized moving from the glass house to your pocket. The technology proliferation was great for most people but it was also a boon for criminals, which ultimately brought about the need for regulation.
The best way to look at GDPR is not as some onerous regulation imposed on hard-working people by a bunch of Brussels bureaucrats but as part of a natural progression. It’s a signal that this industry has grown up and while it has more growth ahead, some sensible guardrails need putting in place. The trick now is to be ready for May 25, 2018.
Endnote – resources
diginomica has a slew of GDPR related content which should serve as a way point for discovering GDPR impact and, of course, the usual political confusion surrounding its implementation in a post-Brexit scenario. Here for example are our top tips from CDOs while this story provides a vendor’s eye view. There’s plenty more to keep you busy.
Image credit - Free for commercial use