GDPR stands for General Data Protection Regulation and it is a privacy law set out by the European Union (EU). It became effective as of May 25th 2018. Even though it was set out by the EU, it affects all companies that collect information for citizens of the EU. Ernst & Young estimated that the world’s 500 biggest corporations are on track to spend up to $7.8 billion on GDPR compliance. As of January 2020, GDPR has led to over $126 million in fines, with the biggest fine being 50 million euros paid out by Google.
What is GDPR?
GDPR is a list of regulations around handling consumer information. It affects all companies based in the EU or collects information from any EU residents. It focuses on making companies accountable for protecting their customers information and giving customers a greater level of control over their private information.
Failure to comply with these requirements can result in fines of up to 20 million euros or up to 4% of the offending companies annual revenue, whichever is greater. For lesser offences, the fine will be halved, it will be 10 million euros or up to 2% of annual revenue. Here are some of the main requirements for GDPR compliance:
*also see this checklist provided by the GDPR website for evaluating your company’s compliance.
You must obtain consent
Companies must ask for consent in a clear way. It can’t be hidden in long terms and conditions or in complex language that the normal person wouldn’t be able to understand. Additionally, people must have the option to withdraw their consent at any time.
Timely Breach Notification
If a security breach occurs, you have 72 hours to report it to any affected customers or data controllers. The GDPR defines a data controller as “ the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”. Simply put a data controller is anyone responsible for how the information is used and processed. Failure to report within this window can result in fines.
Right to Data Access
Customers have the right to request an existing data profile, outlining in full detail all of the information you have collected about them. This report should also include all of the means by which you collected this information about them and must be free of cost. This should be provided without undue delay but at the latest it can be one month. Additionally, customers should be able to update their information at any time.
Right to be Forgotten
This means the right for data deletion. Once the original reason that a customer’s data has been collected is fulfilled, customers have the right to request that their personal data is totally deleted. Companies have one month to respond to this request.
The Right to Data Portability
Users must be able to obtain their information from you and reuse that data for their own purposes. This includes:
Personal data that was provided by the individual
Personal data generated by automated means such as smart meters or wearable devices
Personal data processed based on the individuals consent or for a performance or contract
Privacy by Design
GDPR requires that companies design their systems with secure protocols as opposed to adding security afterwards. Some the key points mentioned on the GDPR website include:
Encrypt, Pseudonymize or Randomize personal data wherever possible
Create an internal security policy for your team members and build awareness about data protection
Have a process in place to notify authorities and customers in the event of a data breach
Conduct data protection impact assessment whenever you’re going to process personal data. The UK Information Commissioner Officer (ICO) has a data protection impact assessment checklist.
Consider data protection at all times and from the beginning of developing a product.
Have an Appointed Data Officer
All companies handling EU information should have someone responsible for handling EU resident information. But depending on the size of your company and the level that you collect and process data, you may be required to appoint a data protection officer. You are required to if you meet one of the following criteria:
Public Authority- The processing of personal data is done by a public body or public authorities, with exemptions granted to courts and other independent judicial authorities.
Large Scale, Regular Monitoring — The processing of personal data is the core activity of an organization who regularly and systematically observes its “data subjects” (which, under the GDPR, means citizens or residents of the EU) on a large scale.
Large-Scale Special Data Categories — The processing of specific “special” data categories (as defined by the GDPR) is part of an organization’s core activity and is done on a large scale.
Recap
GDPR is a regulation similar to HIPAA or PCI-DSS that mandates for companies to protect their consumer information. GDPR specifically affects all companies that are based in the EU or have customers/clients in the EU. Failure to comply with GDPR standards can result in heavy fines of up to 4% of your annual revenue or 20 million euros, whatever is higher. In addition to the insights in this article, here you can find a GDPR compliance checklist from the GDPR website itself so you can evaluate if your company is up to standard.