If you live in the European Union or run a company which does business there, you’ve almost certainly heard of GDPR. An acronym standing for “General Data Protection Regulation,” GDPR laws officially came into effect in May 2018, immediately transforming the business practices of any enterprise that processes the personal information of subjects inside the European Economic Area (EEA).
With penalties that can exceed 20 million euros ($23 million) for violations, suddenly subjects like data security aren’t just “nice to have” things for companies; they are an essential piece of the puzzle that every business must be ready to deal with.
Yes, that probably includes you
GDPR makes things simpler for companies to follow by unifying a large number of different advisory regulatory frameworks under one banner. However, there’s still plenty to take on board for a business wanting to ensure compliance. These concern both the storage and protection of other people’s personal data, including strict rules on how organisations should handle it.
The most important thing for companies to realise is the scope of GDPR. The rules cover both data controllers, who decide which data is collected and why, and data processors, whose job simply involves collecting and storing that information for another party. Similarly, the definition of personal data goes far beyond simply identifying information such as names and addresses. It refers to any information “specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of [a specific] person.”
Additionally, it’s crucial to realise that the rules apply to a broad range of users and companies. Even if your business is located outside of Europe, if you are doing business with customers or partners in that part of the world, the GDPR rules apply to you. The same is true if you’re based in Europe, but are dealing with website visitors from outside of the EU. Simply put, the moment they visit your website based in the European Economic Area, users from all over the world are subject to the same protections under GDPR as anyone else.
It’s all about consent
So now you have some idea of whether or not the rules apply to you, and how broad they are, but what is the responsibility of a company? The most obvious aspect comes down to consent. In short, if you carry out any of this data collection, you need to provide clear privacy policies and information that means that users have clearly consented to any data that is gathered from them. That’s not a simple “yes” or “no” tick box, either. Such consent form means explaining exactly what data is being collected, how long it will be stored for once collected, who will be able to access it, and — perhaps most importantly — why it’s being gathered in the first place. This information must be readily apparent to users, and given prominent placement.
Consent also means allowing users to withdraw this agreement at any time. Users wanting to see the data gathered about them must be able to do so within a reasonable period, and they have the “right to be forgotten” if they do decide that they would rather this data be deleted from your system.
As for the actual holding of data, companies must exercise discretion. Any data breaches which take place must be shared with users when it leads to the loss, alteration or disclosure of personal information. That may also involve alerting supervisory bodies in the relevant EU member state in cases where a data controller’s main office is located in the European Union.
Of course, the ideal situation is that these data breaches do not happen at all. In order to protect against this, GDPR lay out the kind of due diligence that companies must take. This can vary depending on what data you are collecting, your budget, and the technologies at your disposal. However, an emphasis on technologies such as strong encryption on a secure, stable server are heavily encouraged to maintain user privacy.
Failure to maintain user data safely (or to abide by any of the guidelines mentioned so far) can result in the kind of massive 20 million + euro fines we mentioned up top. In certain cases, the EU data protection authorities even have the right to ban companies from collecting data entirely. Needless to say, that would be downright disastrous for the majority of modern businesses.
The importance of being compliant
This article provides only a cursory overview of some of finer points of GDPR as relates to data security. While it’s a positive move for the individual rights of users, it’s a set of regulations that many companies are still getting to grips with. For that reason, it’s more important than ever that businesses get the proper safeguards. Fortunately, help is available to those who need it.
That could involve systems that are able to classify sensitive data, along with detecting malicious or accidental breaches waiting to happen. In the age of GDPR, every bit of data must be protected — whether that’s data held on premises, in the cloud, or in hybrid environments. Ignorance or lack of technical skill is no excuse for breaking the law.
Complying with these new data security and privacy regulations can be tough. But with no shortage of similar regulations being discussed around the world, companies must be willing to adapt. Ultimately, your customers will thank you for it.