You may be hearing a lot of buzz regarding General Data Protection Regulation (GDPR). You may also have been wondering what this means to US companies and why should we care. GDPR is regulations that will be put into effect May 25, 2018, that require a business to protect EU citizens personal data. Basically, when you hear the term GDPR think personal data. This is any information that can link you to a person. For example, name, location, IP address, etc. It is important to note that there are stricture rules to be aware of when dealing with special categories such as race, ethnicity, health data, etc.
Why is GDPR a concern for non-EU countries?
You may be thinking so what, why do US companies need to concern ourselves with GDPR? Well, it does apply to US companies under a couple of circumstances.
1) It applies to any US company that has a branch in EU and the processing takes place in EU.
2) It applies to online transactions if the website is specifically targeting individuals in the EU country.
For example, your website has a .eu extension or you offer goods and services in euros then the rules will apply no matter where in the world the business is taking place.
Examples of Situations where GDPR does NOT apply.
- If you have an English-language website written for US consumers and EU citizen Googles and stumbles upon my site.
- Online transactions only apply for EU citizens that are physically in the EU when the data is collected. If an EU citizen is in the US, then GDPR would NOT apply.
Key concepts regarding GDPR companies need to know:
- Right to privacy – We are all familiar with this, the right to be left alone, not be wiretapped etc.
- Data protection – This means that an individual is responsible for the data that relates to them. There are many rules to enforce this and I would recommend reading up on the regulations.
- Breach reporting – If your company has a data leak there is a limited amount of time to report this to the proper authorities and impacted individuals. It is important for organizations to have a process in place regarding who needs to be contacted, parameters required, and the proper tools to comply.
- Penalties – Companies that are found non-compliant by not having the proper audits and rules setup will be facing some hefty fines.
Basic Principles of Processing Data:
- Fair, lawful and transparent – Companies must provide a statement or clear action (checkbox) that indicates you will be collecting the data.
- The consent form must be very transparent and given freely. Be sure to save the consent forms in case of an audit.
- Obtain each consent form separately. If you want to collect web information and cookies then you must obtain two separate forms.
- The individuals have the right to be forgotten and ask to have their data removed from your systems.
- Purpose limitations – This means that you are collecting data for this purpose and you can only use it for that purpose. For example, if you are collecting data to send consumer brochures you can only use the data to send them brochures and can’t sell the information.
- Data minimization – Must only collect the data required for the purpose. For example, if you are collecting data to send out brochures you can only ask for their email and their address, but you should not be asking for credit card information.
- Accuracy – Keep data up to date
- Storage Limitation – You only store the data as long as relevant. In our marketing example, it probably would only be relevant to keep this data for a few years since it may go stale.
- Integration confidentially – This is added as data protection
If you are a US company that has a branch in EU or has a website that targets EU citizens, then you should start reviewing the GDPR. Bottom line is that preparing for GDPR is not going to be easy. Companies need to start reviewing their policies and seek legal perspective as it will require an extensive mapping process. Start reviewing your current IT architecture team focusing on the policies surrounding data. When there is a request you need to show evidence of retention, data protection, threat detection, auditing, and encryption. Having these policies in place sooner than later will help stay compliant and avoid paying large fees.