10 Things to Know About GDPR
What does GDPR have to do with me? U.S. businesses may not realize that the new General Data Protection Regulation doesn’t just apply to organizations in the European Union. The truth of the matter is it applies to anyone handling personal data on residents of the EU. This blog post will highlight 10 other important facts about GDPR.
- GDPR went into effect May 25, 2018. This followed European Parliament approval of the regulation in April 2016.
- The intention of GDPR is to strengthen and unify data protection for EU residents. Before GDPR, the 28 EU member states had different levels of data protection. The new regulation brings all states to the same level, although the United Kingdom could become an exception through Brexit. The new level is considerably higher than before.
- Applicable data is any information that can be used to identify a person. Examples include a name, a photo, an email address, bank details, posts on social networking websites, medical information, and a computer IP address.
- GDPR has three core features. It 1) lays down a structure that ensures ongoing confidentiality and integrity in data processing systems and services, 2) ensures the ability to restore personal data in a timely manner in the event of an incident or breach, and 3) provides a process to regularly test the security of implemented processes.
- Non-compliance can lead to heavy fines. Organizations can be fined up to 4% of annual global turnover or €20 million, whichever is greater. This is the maximum fine that can be imposed for serious infringements such as not having sufficient customer consent to process data.
- The conditions for consent have been strengthened. The request for consent (for data processing) must be given in an intelligible and easily accessible form, and cannot be hidden in long illegible terms and conditions documents. In addition, consent must be given for a specific purpose.
- Data subjects have wide-ranging rights. For instance, they have the right to obtain information on how their data is being used, the right to withdraw consent at any time, and the right to receive notification of a data breach within 72 hours of the data processor becoming aware of it.
- “Privacy by design” is an important element of GDPR. This means that data protection must be a core focus when designing systems and services, as opposed to an afterthought.
- Another way to strengthen information protection is to increase the security of network devices. Increased cybercriminal activity is often directly targeted at networked devices; devices like PCs, printers, and servers may be a weak link in the defense against corporate data theft and malicious attack.
- The EU GDPR Information Portal can be a helpful GDPR resource. In addition, it may be wise to review your current data protection strategy with your legal advisor as well as your IT provider to guarantee compliance.