The EU recently passed a new set of privacy regulations protecting the rights of individuals and giving them control over the PII held by companies operating in the EU. The General Data Protection Regulation (GDPR) is a new regulation created by the European Parliament. It was adopted on 27 April 2016 and applies from 25 May 2018, with the next two years declared a transitional period for businesses to get ready.
The GDPR harmonises the regulations of different EU member countries. In theory, this makes it easier for companies operating in the EU not breach their obligations. But the number of rules businesses will need to comply with, and the nature of those rules, will mean some companies will need to shell out plenty of money to get their systems and processes up to snuff.
And if a company gets caught being non-compliant, the penalties are stiff. There’s no fixed penalty. Instead, the EU has opted to fine businesses up to 4% of their global revenue.
Who does the GDPR apply to?
Any organisation that collect data from EU residents (the GDPR calls them data controllers) and organisations that process data on behalf of data controllers are subject to the GDPR. If you collect an EU citizen’s data and use a cloud service to store and manage that data then all those parties are subject to the GDPR.
The focus
The GDPR sets its focus on the rights of individuals over companies.
If you’re operating in the EU then you’ll need a privacy policy that is written clear, plain English – the guidelines say it must be understandable to a child if they are affected – pertaining to how you obtain and use PII. Individuals should also have access to the data you have collected and you must have processes in place to rectify any errors they detect and to erase that data if the individual requests it.
Data portability – the ability for an individual to take their data from one company to another is also part of the GDPR. I suspect this will spawn a cottage industry for data migration services.
Individuals can object to the use of their data. There’s a designated process for dealing with objections but if you’re in the direct marketing business then you must stop using that data as soon as you receive that objection. Businesses must only collect data they need (this is termed “data minimisation”) and support pseudonymisation.
Enter the DPO
The EU suggests companies designated someone as a data protection officer. This is someone who will oversee GDPR compliance. That means ensuring internal data protection policies are documented and updated, staff training is conducted and you maintain relevant documentation on processing activities.
Data protection officers also continually review processes and assist the business with creating and improving security features and conducting data protection impact assessments.
The issue of PII protection and privacy is a big deal around the world. Australia has the updated Australian Privacy Principles. However, the situation is quite fluid in the United States where changes in government seem to cause changes in the balance between the needs of business and rights of individuals. For example, the ability for ISPs to collate and use browser history information for marketing has swung around depending on whether Democrats or Republicans are pulling the strings.
Comments