GDPR: What You Need to Know Before May 25th

April 3, 2018

GDPR: What You Need to Know Before May 25th

The GDPR is the European Union’s General Data Protection Regulation, and will be enforced beginning on May 25th moving forward. Through it, the EU seeks to “harmonize data privacy laws across Europe, protect and empower all EU residents’ data privacy, and to reshape the way organizations across the region approach data privacy for EU residents wherever they work in the world.”

Now, you may be asking yourself “does this even apply to me?” The answer is, most likely, yes - the GDPR applies to non-EU organizations that employ EU citizens (regardless of location) and non-EU companies that collect, process, or store data on EU citizens and/or residents, in addition to any organization that conducts business in the EU. If you have even the slightest feeling that you should be thinking about how to best prepare your business for it, then you definitely should be. So, what does the GDPR mean for businesses, and what can we expect from the new regulation? Read on for a rundown of things addressed to make sure all of your bases are covered by May 25th!

1. Increased Scope

First and foremost, it’s important to remember that the law applies to data belonging to any EU citizen or current resident, regardless of whether the related activity takes place within the EU. Before the GDPR, territorial applicability was murky and referred to data process 'in context of an establishment'. Now, there is absolutely no question in regards to scope.

2. Explicit Consent

Second, organizations will need to obtain explicit permission to collect, process or store personal data using language that clearly communicates how the data will be used. Gone are the days of relying on the customer to opt-out and hiding behind hard-to-understand technical language in the terms of consent. Further, the consent must be use-specific, meaning that the data collected for something like downloading a whitepaper cannot be used for another purpose, such as targeting marketing emails. More data than is necessary for the stated purpose cannot be collected, and organizations must make it very simple for EU residents to withdraw their consent at any time.

3. Breach Notification

Within 72 hours of becoming aware of a security/data breach, an organization must issue all required notifications to those affected parties. Additionally, credit monitoring should also be provided to those consumers whose data was compromised.

4. Right to Access

All EU citizens and residents have the right to know what data is collected, how it’s being used, where it is being stored and who has access to it. Upon request, an organization must be able to provide an electronic copy of the data that was collected (free of charge). Upon review, users have the right to request a change to their information should it be incorrect, as well.

5. Right to be forgotten

Consumers also have a right to demand all data be erased, while some situations can also warrant a cease of processing all data.

6. Data portability

With GDPR, the introduction of portability comes into play, meaning that consumers have the right to request their data in an electronic format to be transferred to another processor.

7. Privacy by design

While not new, the concept of privacy by design will now be required by the GDPR. Privacy by design means that privacy should be an integral, ground-up part of digital business processes, rather than a retroactive fix.

8. Data protection officers

Under the GDPR, logging data processing activities is no longer a cumbersome and varied requirement. Instead, an internal record-keeping requirement will be in place, in some cases requiring organizations to appoint qualified Data Protection Officers (DPOs) to oversee any activities related to handling sensitive personal data. These DPOs are objective and will have special employment protections.

Overall, it is important to understand the importance of the GDPR, what areas of data collection and processing are affected (the answer: all of them) and what the implications are for those businesses that are not prepared for the regulation's enforcement. Keep checking back with us each week as we dive into this massive regulation and make sure your business is in the clear!