There's a storm on the horizon. Skies have darkened, sunlight hidden behind gray, ominous clouds that cast shadows over the landscape, and those that didn't heed the weather report are bound to be caught in the storm and drenched if they can't quickly find cover.
For American industry, the dark clouds that were born over the EU have been steadily making their way across the Atlantic, leaving many companies still scrambling for protection. After years of methodical movement over land and sea, the General Data Protection Regulation (GDPR) is ready for its heralded entrance on the industrial stage despite many American firms still unclear on the impact it will have on their daily operations.
For those that are still unsure what GDPR means to them, however, Xinn is reviewing the basics to provide a straightforward explanation of GDPR and how it might affect a domestic business. Remember, just because storm clouds are overhead doesn't mean you'll inevitably be soaked to the bone. Xinn is here to help you find a steady, reliable umbrella.
A Brief History of the GDPR
Whether at the hands of the black hats or unscrupulous data management from companies themselves, the public often feels betrayed by the digitized world. It's those exact feelings, warranted or not, that are at the root of the GDPR legislation that aims to protect consumers with far more stringent, wide-reaching efforts.
While GDPR is the latest iteration of consumer protection mechanisms to hit the landscape, it's by no means the first. In fact, GDPR is a direct replacement of the 1995 Data Protection Directive from the EU which, at its core, strove to protect personal data privacy rights through a system of notifications and disclosures between companies and their customer bases.
Of course, much has changed since 1995 so, consequently, EU legislators adopted the GDPR on April 14, 2016 as a way to significantly bolster data protection rights. This is accomplished by providing consumers a more proactive defense against unwanted data usage rather than the more passive approach of the 1995 directive.
Much of GDPR revolves around two main areas -- required corporate security actions and personal data rights. To stay in compliance, organizations, data controllers and processors must follow specific instructions regarding data security, the main points being:
- Personal data must be encrypted and pseudonym zed, or in simpler terms, any identifying information must be removed from data so it can no longer be attributed to an individual.
- Firms must regularly perform testing and evaluations of their technical and organizational policies to evaluate the effectiveness of their data security.
- Data processing systems must maintain confidentiality, integrity, resilience and availability at all times.
- A Data Privacy Officer (DPO) must be designated to oversee all data security and compliance issues.
Likewise, GDPR provides a variety of data protection rights for the consumer:
- Breach Notification: When a data breach occurs, individuals possibly impacted must be notified within 72 hours of the discovery. This is required of organizations as well as data processors and controllers.
- Right to Access: Individuals have the right to know where and why their data is being processed and can request a digital copy of their personal data.
- Right to be Forgotten: A person has the right to have their data erased, not used in the future, and prevent third parties from processing their data.
- Portability: An individual has the right to request their personal data and then transmit that data to another controller.
Of course, given the scope of GDPR, Xinn recommends you review the complete guidelines to fully understand the many facets of the legislation.
Aside from the security measures and protection mechanisms, GDPR was also established to create a uniform set of rules to regulate the use of personal data by organizations within the EU. For these purposes, personal data is defined as any information that can identify an individual through an identifier -- including name, physical address, IP address, username, cookies, or even physical, physiological, economic, cultural or social characteristics.
Simply put, if the data can be used to identify a particular customer or user, then it falls under the GDPR watch. Post-Brexit, the U.K. will be adopting its own data protection act that directly coincides with GDPR.
In terms of scope, GDPR protects the personal data rights for all individuals living within a member EU country, also extending to companies that operate, have customers, store data, or have data processed or transmitted within the EU. In other words, all a company must do is have EU customers or data kept or passed through EU borders.
Consequences of Non-Compliance
Of course, these far-reaching tentacles are precisely why so many American companies find themselves ensnared by GDPR's grasp. No matter where an organization might be headquartered, however, all companies falling within GDPR must abide by the same regulations or face significant fines -- up to the greater of €20 million or 4 percent of the previous fiscal year's total global revenue.
Obviously, with such stiff possible sanctions, it's in every company's best interest to take GDPR compliance extremely seriously. In fact, the regulating body itself recommends that firms make compliance a core part of all operations rather than just an important but ancillary component to business. From this perspective, personal data rights should become another pillar of business, just like the supply chain, accounting, R&D and other essential aspects of industry.
In many ways, GDPR can be considered an inevitability given the countless breaches and unsavory data sharing policies of even the largest of corporations. With a compliance deadline of May 25, 2018, Xinn implores American firms to carefully examine their client base, data storage, systems and privacy policies to better understand the impact GDPR will have on their operations. The stakes are too high not to.