The dawn of the Information Age has undoubtedly changed many aspects of our day-to-day lives. Seemingly impossible amounts of information are at our fingertips constantly, and it’s easier than ever to do our shopping, do our banking, and communicate with each other. At the same time, we are sharing increasing amounts of personal information over the Internet, and there is always the risk of bad actors finding our personal information. Numerous recent examples, including data breaches at Equifax, Uber, MyFitnessPal, and others, demonstrate that this risk is frequently a reality.
Privacy concerns have led to pressure from activist groups and governments around the globe to ensure certain protections are in place for those of us who have data out there on the Web. The European Union (EU) has led the charge in many ways when it comes to this pressure. Case in point: EU’s General Data Protection Regulation (GDPR). The GDPR is a wide-ranging set of regulations that govern how the data of EU subjects are to be stored and maintained. Even for businesses located outside the EU, the GDPR has the potential to represent a major compliance challenge. We’ll begin here with a brief overview of the basics of the regulations, followed by the key provisions and tips for training staff on compliance.
The GDPR was enacted in April 2016 following years of preparation and debate. The law is effective as of May 25, 2018.
Who Is Subject to the Rules?
According to EUGDPR.org, “The GDPR not only applies to organizations located within the European Union but it will also apply to organizations located outside of the European Union if they offer goods or services to, or monitor the behavior of, European Union data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.”
The GDPR governs how “personal data” need to be handled. EUGDPR.org explains that personal data are “[a]ny information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”
The GDPR is a major piece of transnational legislation with global implications. It would be impossible to cover the entire subject in three short blog posts, but hopefully, our very high-level overview will provide enough information for readers to understand where they need to do further research.
Key Provisions and Governing Principals
Now we’ll look at some of the basic, fundamental provisions to be aware of. According to IT Governance, under the GDPR, personal data must be processed according to six data protection principals:
- Processed lawfully, fairly, and transparently
- Collected only for specific legitimate purposes
- Adequate, relevant, and limited to what is necessary
- Must be accurate and kept up to date
- Stored only as long as necessary
- Ensure appropriate security, integrity, and confidentiality
Each of these principals has many subcomponents and nuances that should be evaluated in detail by organizations that may be subject to them. For example, there are a number of provisions that relate specifically to the question of when consent to hold an EU subject’s data has been validly given.
Data Processor Versus Data Controller
The GDPR makes an important distinction between a data “processor” and a data “controller.” As EUGDPR.org states, “A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.” As one might imagine, the GDPR regulations are more onerous for controllers than for processors.
The penalties for noncompliance with the GDPR are potentially massive. According to EUGDPR.org, “Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.”
The GDPR has understandably made many businesses very anxious over compliance with its data protection rules. We’ve discussed some of the most important provisions above, but a thorough review of the regulation is certainly recommended for any business that may be subject to its provisions. Let’s move on to some basic steps for training employees on compliance.
Develop Your Compliance Strategy
The GDPR is a complicated and detailed regulation, and your compliance policy will need to be comparably detailed to ensure you are covering all of your bases. It’s not necessary for your entire staff to be experts on your policy, but you need to have a group of key staff who are well-versed on the regulation and how your organization aims to comply.
Make Sure Your Staff Know What Constitutes Personal Data
The fundamental concept underlying the GDPR is personal data. Even though your entire staff don’t need to be experts on the GDPR, anyone handling any customer data whatsoever should be aware of what constitutes personal data under the GDPR. This is the first step in addressing potential compliance issues.
Educate Staff on the Process for Escalating Potential Issues
Once staff have identified that they are dealing with personal data that may be subject to the GDPR, they should know the process for escalating potential issues. It’s likely that your company deals with many of the same types of data every single day, and your staff will know—to a large extent—what is not at issue with respect to the GDPR. But in the event there is uncertainty, they should have no uncertainty as to who to bring their concerns to.
Make Sure Your Staff Understand the Magnitude of the Penalties
Finally, staff should be aware of the significance of potential violations of the GDPR. For some businesses, a serious violation could potentially mean going out of business. Employees need to know that compliance with the GDPR isn’t something that is simply given lip service.
As we’ve stressed throughout, the GDPR is a major compliance change that has far-reaching impacts and potentially massive consequences for violations. It would be impossible to thoroughly cover the topic in 100 blog posts, but hopefully, this high-level overview will be enough to raise awareness of the key issues and help identify areas for further research.