New EU Data Protection Regulations – What You Need to Know

Introduction

The General Data Protection Regulation (GDPR) is a new set of regulations that goes into effect on May 25, 2018 for all companies operating in the European Union (EU). It aims to give individuals more control over their personal data and simplify regulations for international business by unifying data protection within the EU.

As an individual living in the EU, the GDPR gives you greater control over your personal data. As a business, there are important changes you need to make to ensure compliance when the regulation goes into effect. In this guide, I will outline what the GDPR is, who it applies to, and what you need to know to avoid steep penalties.

What is the GDPR?

The GDPR is a legal framework that sets guidelines for the collection and processing of personal information from individuals within the European Union. The GDPR sets out:

• What constitutes personal data – Anything that can identify an individual like name, photo, email address, etc.

• Outline individual rights – Right of access, right to be forgotten, data portability, etc.

• Require explicit consent – Consent must be clear and distinguishable from other matters.

• Breach notification – Data breaches must be reported within 72 hours.

• Privacy by design – Data protection must be part of system design.

• Assign data protection officers – If an organization does regular monitoring or processes sensitive information.

• Territorial scope – Applies to organizations in the EU and those who offer services/goods to the EU.

The GDPR aims to give people more control over their data and reduce the risk of data breaches. The requirements also unify data protection regulations across the EU.

Who does the GDPR apply to?

The GDPR applies to any company that stores or processes personal data on EU citizens, regardless of where the company is based. For example:

• EU based businesses – All companies in the EU must comply.

• Companies offering services/goods to the EU – Applies even if the company is not located in the EU.

• Non-EU companies processing EU citizen data – Applies to information like IP addresses that can identify EU citizens.

The regulation applies even if a business does not have a physical location in the EU. As long as you target or collect data tied to EU citizens, you need to comply.

What are the key requirements?

There are a number of important requirements and individual rights you need to be aware of:

Lawful Processing

You must have a lawful basis for processing personal data. This includes consent, contractual necessity, legal compliance, etc. You must document how data is used and why it is necessary.

Consent

If using consent as the lawful basis for processing, it must be explicit and able to be withdrawn. You cannot bundle consent or use pre-checked boxes.

Breach Notification

You must notify authorities within 72 hours if a data breach may result in a risk to an individual’s rights or freedoms.

Right to Access

Individuals have the right to see what data you have about them and how it is being used. Requests must be fulfilled within 1 month.

Right to be Forgotten

Individuals can request their data be deleted. Fulfillment is required unless there is a legitimate reason for retaining data like legal requirements.

Privacy by Design

Data protection must be part of system design and not an afterthought. You need to hold and transmit only the minimum amount of data necessary.

Data Protection Officers

If your organization does regular monitoring or processes sensitive information at a large scale, you must assign a DPO to oversee compliance.

What are the penalties for non-compliance?

The penalties for violating the GDPR are substantial. Regulatory authorities can impose fines up to €20 million or 4% of global turnover – whichever is higher.

Beyond fines, a data breach under the GDPR must be disclosed to the public. The resulting reputational damage can be severe.

Some other consequences:

• Lawsuits from affected individuals/groups
• Loss of customer trust
• Suspension of data transfers to third countries
• Class action lawsuits

In summary, the risks of non-compliance far outweigh the costs of compliance.

How to prepare for the GDPR

Here are some steps you can take to prepare:

• Review data collection/processing – Document what personal data you have, where it came from, who you share it with, etc. Delete any illegal data.

• Obtain consent – Review consent procedures to ensure they meet GDPR standards. Allow easy opt-outs.

• Enable data access – Make sure you can provide data in a commonly used electronic format upon request.

• Data breach plan – Have a response plan ready in case of a breach. Document all breaches.

• Assign DPO – Designate a data protection officer if required.

• Review policies – Update privacy policies and internal policies to meet requirements.

• Follow privacy by design – Adopt data minimization, anonymization, and encryption to protect data.

• Train employees – Educate staff on the GDPR and its requirements. Stress privacy and security.

Preparing for the GDPR requires reviewing all areas of your business impacted by data processing. By taking steps to comply now, you can avoid painful penalties and ensure you respect EU citizen privacy.

Conclusion

The GDPR provides individuals with more control over their personal data. All companies that handle EU citizen data must comply by May 25, 2018 or face steep fines. Review your data collection, storage, and policies to avoid running afoul of the new regulation. With the GDPR in effect, privacy and data protection must be embedded into your systems and business practices.