It is hailed by the European Union as “the most important change in data privacy regulation in 20 years” and it is going to be implemented on 25 May 2018. But what is General Data Protection Regulation (GDPR) and how will it impact SMBs/SMEs across the globe?
What Is GDPR & What Is Its Purpose?
GDPR is the culmination of four years’ work by the European Union to overhaul data protection laws across Europe, and update them to reflect the myriad of previously unforeseen ways that data is being utilized today.
When it comes into effect on 25 May 2018, GDPR will supersede all other data laws currently used by European Union countries (all 28 of them).
So while the UK, for example, currently adheres to the Data Protection Act 1998, this will be replaced by GDPR once it is enforced next year. The fact that GDPR will more or less standardize data protection laws across the European Union is one of its defining aspects.
The purpose of GDPR is twofold.
First, the EU wanted to give its citizens more control over how their data is collected, handled, utilized, and disposed of once it is no longer needed. This is particularly important because of the innumerable ways data is used by organizations today.
It’s worth remembering that many existing data protection laws were enacted before innovative technologies – such as the cloud and IoT devices – were being used in the mainstream of daily life.
Let’s also not forget that companies like Google and Facebook provide access to their services in return for people’s data. When you think about it, these Internet behemoths know everything about us, from our data of birth and email address to which band we are currently listening to.
Second, GDPR is designed to provide businesses with a much clearer, simpler legal environment in which to operate. This will be achieved by making data protection law identical across the single market, a measure that the EU itself estimates will save businesses €2.3 billion ($2.7 billion) a year collectively.
Is The U.S. Impacted By GDPR?
Even if you are a U.S.-based company that does not operate in Europe and does not have any European customers, it would still be prudent to understand what changes GDPR will introduce when it is implemented in May 2018.
That’s because GDPR will have a global impact and many businesses could end up breaking certain aspects of it without even knowing.
Indeed, Gartner predicts that by the end of 2018, “more than 50 percent of companies affected by GDPR will not be in full compliance with its requirements” [source: Gartner].
Companies that are found to be non-compliant with GDPR will face substantial fines of up to €20 million ($23.6 million) or 4% of global annual revenue, whichever is greater. It’s also widely thought that non-EU companies will be a particular target of these higher fines.
Perhaps the biggest change for U.S.-based companies to be aware of is the obligations of data controllers and data processors under GDPR.
According to article 4 of the General Data Protection Regulation, data controllers and data processors are defined as follows:
- A data controller is the “natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
- A data processor is a “natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
In short, a data controller is an entity that states why and how personal data is processed. A data processor is the entity that actually does the processing.
Previously, compliance with privacy requirements sat squarely on the shoulders of data controllers. However, under GDPR, both data controllers and data processors will be accountable and responsible for handling EU citizens’ personal data in accordance with the new rules.
So, if you are a company that processes EU citizens’ personal data on behalf of other businesses, you absolutely need to be aware of the changes that are coming and ensure you are in compliance with them.
Other key features of GDPR you need to be aware of are:
- Consent – Consent will need to be explicitly given by the individual, and the data collector will need to outline the exact purpose the data will be used for before it can be collected. Parental consent will also be a mandatory requirement for accessing the personal data of children.
- Encryption – All data held will need to be encrypted by default.
- Pseudonymization – Any links between data and an individual will need to separated so that a person cannot be identified directly from his or her data.
- The scope of the term “personal data” – Will be much broader and include things like IP addresses, mobile device IDs, genetic data, and biometric data, as well as information such as names, addresses, and photos.
- An individual’s right to know – EU citizens will have the right to know exactly what data companies hold about them.
- Also, their right to erasure – They will also be able to request that this information be deleted without undue delay. In other words, it must be expunged quickly, not weeks or months down the line.
- Breach notifications – Any company that suffers a data breach, whether accidental or as the result of a cyber-attack, that could risk the rights and freedoms of individuals, will need to report it to their data protection authority. If a breach is serious enough, the organization will also be required to communicate the event in a one-to-one correspondence with every affected individual i.e. a press release will not suffice.
How Does GDPR Compare To U.S. Data Protection Laws?
Data protection laws in Europe and the U.S. differ widely. In Europe, data privacy is viewed as a fundamental human right and this was the case even before GDPR was agreed.
By contrast, it has been argued that the U.S. does not view the rights of its citizens in the same way when it comes to data privacy. It has been argued by many and been the subject of numerous academic papers that this is down to First Amendment protection.
In a case involving IMS Health in 2011, the selling of prescription records was deemed a form of free speech. It was a blow for data protection laws and data privacy alike.
So, rather than enact a set of overarching data privacy and protection laws that apply across the board, the U.S. approach is to implement new pieces of legislation when a need for them arises. As a result, regulations relating to the privacy and protection of U.S. citizens’ data are handled per category. For example, health information is regulated under the Health Insurance Portability and Accountability Act (HIPAA), and financial information is regulated under the Gramm-Leach-Bliley Act (GLBA) and the federal Fair Credit Reporting Act (FCRA).
It is also worth mentioning that the Children’s Online Privacy Protection Rule (“COPPA”) ensures children’s data is protected properly and the state of California has its own separate data protection act, the California Online Privacy Protection Act (CalOPPA).
What Do SMBs/SMEs Need To Do To Prepare?
With very little time to waste, SMBs and SMEs need to start preparing for the implementation of GDPR now. Being unaware of obligations or not understanding the different types of data in their possession will not be legitimate defenses after GDPR is in place.
Below are some of the ways SMBs and SMEs can ensure they are prepared for the implementation of GDPR.
NB – These steps do not constitute legal advice and should always be considered alongside professional legal guidance pertaining to your particular company.
1. Raise awareness
GDPR is coming, whether we like it or not, which is why awareness of its impending implementation should be raised within your organization. Every decision maker and key person in your company needs to be aware.
2. Figure out what data you hold
You may need to conduct an information audit. That’s because you need to know exactly what data you hold, where it came from, and what you do with it/who you share it with.
3. Assess your current procedures for obtaining consent
Under GDPR, data subjects will need to check a box (or similar) to give you consent to use their data, and they need to do this for every single-use case. Review how you currently seek, obtain and store consent, and decide if this procedure needs to be amended in light of GDPR.
4. Embrace Privacy by Design
Privacy by Design is an approach that sees data privacy and protection taken into account from the start and at every stage when companies are handling personal data.
5. Review your retention policy
Review your current data retention policies and check they meet the requirements laid out in GDPR. The most pertinent point is that data should not be retained longer than necessary. In other words, once you’re finished with it, dispose of it appropriately.
6. Check privacy policies and notices
Any privacy policies and notices on your web assets or traditional forms of media need to be updated to reflect GDPR. They should include (as a minimum) information on why you are collecting a person’s data, what you will do with it, how long you will retain it, and highlight their right to complain if they believe you are mishandling their data.
7. Third-party risks
It’s absolutely essential for you to perform due diligence across your supply chain and choose your strategic partners carefully. They all need to understand what GDPR is, and be in compliance of it before 28 May 2018.
8. Cross-border data transfers
Violations of the conditions relating to cross-border transfer of EU citizens’ data will incur the highest category of fines. Therefore, you need to understand and comply with the conditions set out in GDPR relating to cross-border transfers or face heavy penalties.
9. Prepare for data breaches
Information security should already be a major concern for your organization, but with GDPR just around the corner, you need to be even more conscientious. Review and update any procedures you already have in place to help detect, report, and investigate data breaches that involve personal data.
10. Determine who your supervisory authority will be
Put simply, your supervisory authority will be the main data protection regulator your organization deals with. You can determine yours by identifying your ‘main establishment’ in the EU. That is, your organization’s central administration in Europe.
Resources For Additional Assistance
- The General Data Protection Regulation itself, despite being rather heavy reading, contains everything about the forthcoming changes under GDPR.
- This 12-step guide produced by the UK Information Commissioner’s Office contains some great information that also applies to U.S.-based companies.
Finally, it goes without saying that you should seek advice from compliance and legal experts that understand your industry and can better determine how GDPR will affect your individual company.