What is GDPR?
General Data Protection Regulation is a regulation by which the European Union (EU) government leaders intend to strengthen and unify data protection for all individuals within the EU. By May 25, 2018, all organizations handling, storing, or processing EU citizen data are expected to comply with these new regulations. GDPR dictates the procedures and consequences surrounding breaches and notifications. Here are some key terms you should know:
Controllers are government agencies as well as public and private organizations that collect and process data. They determine how and why it is collected, used, and shared.
Processors are companies or entities that process personal data on a controller’s behalf such as third party IT contractors or cloud providers.
Data Subjects are the individuals whose personal data is processed. They may be clients, employees, or customers.
What do you need to do to comply with GDPR?
- All subjects must opt-in:
- Consent must be informed, unambiguous, and freely given.
- An individual’s consent can no longer be assumed by default.
- Any consent documentation should be written in plain language and be as easy to revoke as it is to provide.
- Must allow EU citizens to withdraw.
- Data must be erased if the consumer withdraws consent:
- Processors and controllers must erase and stop distributing personal data if a data subject requests it.
- When data is no longer relevant to purposes for which it has been collected.
- The data subject withdraws consent, and there are no grounds for processing data without consent.
- The data subject objects to the processing.
- If the data was processed improperly.
- Allow EU citizens to request their information:
- Processors and controllers must give data subjects their personal data in an electronic, structured, and commonly used format so that they can then provide it to a third party if they choose.
- Notify authorities of data breaches:
- Processors and controllers must notify data subjects of data breaches that are likely to put their privacy at risk without undue delay.
What happens if you don’t comply?
The penalties can be quite severe if companies fail to comply:
- You could pay fines up to €20 million (approx. 24 million USD) or 4% of an organization’s global revenue of the preceding year—whichever is greater.
- Data breach victims could file class action lawsuits.
- Potential damage to the company’s brand and subsequent revenue loss.
Want to learn more about GDPR?