The General Data Protection Regulation (GDPR) is a data privacy and security law that was passed by the European Union back in 2018. It quickly made its reputation as one of the toughest laws for its scope and also for its enforcement. We’ve had some questions regarding GDPR lately so we thought this would be a great time for an introduction, as well as a refresher to companies that may have scrambled to put a plan together in 2018 and haven’t thought about it since.
What does GDPR Cover?
GDPR was implemented to protect the personal data of citizens in the European Union. This means that this law applies to not only businesses in the EU, but any business that has personal data on someone living in the EU. For example, if you sell goods or services to someone who lives in the EU, you are processing data protected by GDPR. Since separating this data from regular customer data can prove to be difficult, many businesses have chosen to adopt a new, GDPR-friendly practice and apply it to all of their data processing practices.
Consent is a major component of this law, requiring consent requests to be presented in a clear manner and the response of consent to be “freely given, specific, informed and unambiguous.” This means clearly asking permission to collect customer data, and you must store documentary evidence of this data for future reference. At any point, a customer may withdraw consent, asking you to delete any record of their personal data.
There are also specific instances stated in which its appropriate to process citizen data. These instances include:
- A clear opt-in to a newsletter or marketing list, such as registration on a form
- Data processing is necessary to create a contract, such as a subscription to a service
- A legal obligation requires it, such as a court order
- Data processing is required to save someone’s life, such as an unlikely hostage situation
- You need this data to perform a task in public interest, such as collecting recycling
- You have a “legitimate interest,” such as investigating fraud or a threat to public security
If you are sure you are allowed to process a citizen’s data, you are responsible for doing so in accordance with GDPR’s outlines that state:
- Your processing must be transparent to the data subject and lawful (meeting above requirements).
- You may only use the data as expressed to the citizen.
- You should only process as much data as is necessary
- Your data must be kept accurate and up to date
- You may only keep the data for as long as expressed, or needed for its intended purpose
- You must process data in a way that ensures security and confidentiality
- You must demonstrate compliance to GDPR in all manners
Finally, data must be processed securely! This section is a little vague, but it boils down to “appropriate technical and organizational measures.” Your organization should already be focused on security and data protection, so complying with this step shouldn’t prove to be too difficult. This could include practices such as regular risk assessments, employee trainings, appropriate data encryption, etc.
Impact of Noncompliance
The impact of poor data protection speaks for itself and you can imagine a scenario where a data breach can halt business operations, damage public perception, and cause violations. Specifically for GDPR though, the largest impact is going to be in your financials. Carrying hefty fines, noncompliance has two tiers of violations. A lower-level violation can result in fines of $11 million or 2% of the company’s annual revenue, whichever is greater. For a higher-level violation, that fine doubles to $22 million, or the equivalent of 4% of revenue, again selecting the higher number. By January of 2021, the number of fines issued for noncompliance totaled $332 million.
If you are a company that does business with or collects and stores data from anyone in the EU in any way, here are five key takeaways:
- You may need to hire or appoint a Data Protection Officer (DPO) to manage the process of protecting this data to ensure that you remain compliant with GDPR.
- Your company could face heavy fines if it fails to comply.
- Fines can be up to 4% of annual global turnover, or $22.7 million, whichever is greater.
- The law applies to all controllers and processors, including cloud-based businesses.
- Any information that could potentially identify a person is considered personal data and must be regulated by GDPR standards.
How We Help
The changes and additional responsibilities that GDPR will bring companies may appear to be overwhelming for many organizations, but we have a solution that can help. RiskWatch offers risk, security, and compliance management software that can alleviate all your worries by giving you an easy-to-manage platform that will keep track of your risk and compliance efforts. Our prebuilt GDPR content library has turned all 88 pages of the regulation and turned it into an easy-to-answer survey that will identify areas of concern and offer suggested remediation. Take a product tour or sign up for a free trial if you want to see how it works.
For more details, assistance, or learning outside of RiskWatch, visit https://gdpr.eu/tag/gdpr/ to read the entire regulation.