THE IMPORTANCE OF PROTECTING private data has become painfully clear in recent years. Now, amid a mishmash of approaches and regulations, the European Union (EU) is establishing a more consistent framework toward that goal. In May 2018, the EU’s General Data Protection Regulation (GDPR), which establishes specific requirements for how companies handle “personal data,” takes effect.
Because the law applies to all organizations that touch protected information about EU citizens—regardless of whether the business is physically located in Europe—any organization that buys from, sells to, or partners with Europeans must obey GDPR requirements. If that includes you or your customers, here’s what you need to know:
What it does. GDPR updates, reconciles, and consolidates previous data laws across EU states. “The GDPR gives EU citizens certain rights concerning their personal data. The GDPR also extends the scope of responsibilities for data controllers and processers—that is, any organization that collects, handles, or stores EU customers’ personal data,” states Bess Hinson, an attorney who specializes in technology and security at Nelson Mullins Riley & Scarborough LLP, of Columbia, S.C.
Why you should care. Because noncompliance can result in fines worth up to 4 percent of an organization’s worldwide annual turnover, says Kennet Westby, chief security strategist at Coalfire Systems Inc., a Westminster, Colo.-based cyber-risk management and compliance advisory firm. Plus, he adds, “Savvy organizations have the opportunity to use robust privacy programs as a potential market differentiator.”
Key requirements. Organizations that collect data on EU subjects must appoint a “data protection officer,” who is responsible for all decisions impacting the organization’s privacy posture and must “exercise a substantial degree of organizational independence,” Westby says.
In addition, organizations must rethink data management. For example, bundling all terms of service into a single agreement will no longer be permissible. “GDPR mandates that all [data] processing be clearly explained, and the customer will need to be given the opportunity to explicitly accept or reject each processing case, without losing the opportunity to conduct business with the organization,” Westby explains.
Provisions you should focus on. Article 12 of the GDPR requires controllers to communicate with data subjects “in a concise, transparent, intelligible and easily accessible form, using clear and plain language.” Article 32 requires organizations to “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.”