Regardless of whether you live in the European Union, you’ve likely heard talk about GDPR—which stands for the General Data Protection Regulation (GDPR). GDPR is focused on protecting the data privacy of EU residents, but how does this tie into your business? This post piece will provide some key points on this topic.
First, what exactly is GDPR?
GDPR is a regulation in EU law on data protection and privacy for all residents within the EU. The regulation supersedes any previous country-level directives for the EU member states without any need for further national legislation.
After Parliament approval in April 2016, the regulation went into effect on May 25, 2018. The aim of GDPR is to strengthen and unify data protection for all individuals in the EU; this includes protecting information that has been moved outside of the EU.
Applicable personal data is any information relating to an individual, whether it corresponds to his or her private, professional, or public life. This may include a name, a home address, a photo, an email address, bank information, social networking posts, medical details, and a computer’s IP address.
The fines for non-compliance can reach 4% of annual global turnover or €20 million, whichever is greater.
How does GDPR apply to my business?
Does your business handle any kind of personally identifiable information on EU residents? For instance, do you handle credit card information for European residents purchasing your products? If so, then the regulation applies to you—even if your business is located outside of the EU.
There’s a wide range of ways you could be collecting personal data on these individuals; it is important you consider all of these potential cases. Then, you must ensure that you comply with GDPR for this information. This includes:
- Designing systems with data protection in mind from the onset, as opposed to as an addition.
- Prior to processing data, obtaining consent that is specific and for a purpose, informed, and freely given. The request for consent must also be in clear and plain language as well as easily accessible.
- Passing on personal data appropriately, including in the required format.
- When questioned by an individual, confirming whether his or her personal data is being processed, where this is taking place, and for what purpose. The business must also provide a copy of the personal data, free of charge and in electronic format, if requested.
- In certain cases, naming a data protection officer, internal staff member, or external service provider to keep records up to date for the Data Protection Authority (DPA) to regularly review. This is a requirement for a) public authorities, b) organizations that engage in large-scale systematic monitoring, and c) organizations that engage in large-scale processing of sensitive personal data.
- Erasing personal data and preventing third parties from processing it when an individual has withdrawn consent.
- Notifying customers when a breach of this information has occurred. If the breach is likely to result in a risk of rights and freedoms of individuals, customers must be notified within 72 hours of becoming aware of the breach.
As part of complying with GDPR, organizations must also ensure that their networked devices as well as software tools have been incorporated into their data protection strategy. For example, they should employ encryption methods for both on-premises and cloud IT environments that protect servers, PC peripheral hard drives (including those found in printers), storage, networks, and enterprise content management systems.
To learn more about GDPR and how it can affect your business, download free whitepaper here.