The following post was written by Janelle Hsia, Data Privacy and Security Consultant, American Cyber Security Management.
The world today seems to be abuzz about General Data Protection Regulation (GDPR).
If you’re not buzzing – then you’re not in the know. When it comes to GDPR, people want to know what it is, who has to deal with it, when they have to take action, and where they can turn to for help.
Simply put, GDPR is the European Union’s (EU) latest attempt to ensure that it can control the data protection for all individuals within the EU. GDPR formally stands for the General Data Protection Regulation 2016/679, and was adopted by the European Parliament on April 14, 2016. It goes into enforcement on May 25, 2018, and it is the most important privacy change in the last 20 years.
If you offer goods and services in Europe, have European employees, partners, or suppliers, you’ll need to comply with some form of GDPR.
So, what does ‘comply’ mean here? For entities (people and companies) that you deal with from Europe, it means that you’ll need to ensure that you are transparent with them about the data you collect, why you collect it, and what you intend to do with the data. Also, before you collect their data you’ll need to get their permission to use it, in the form of explicit consent. You’ll need to ensure you only keep the data for as long as you need it, and that you’ll protect it while you have it.
If something happens to the data (it’s lost, stolen, or corrupted) you’ll be responsible for telling the person whose data was effected and the authorities (Supervisory Authority in Europe). It’s a really good idea to encrypt the data, and if you can you should anonymize it; which means removing any and all identifiable information.
If a European citizen asks you what data you are storing or processing about them, you’ll need to tell them, and if they ask you to delete their data, you’ll need to do that too. There are also some additional record keeping functions like data mapping and Data Protection Impact Assessments (DPAI), which you will need to regularly perform and keep up to date. Plus, there are some financial penalties if you don’t ‘comply.’
Not all of this is bad. In fact, it might actually be good news as companies will need to review their practices and programs in order to determine exactly what data they are collecting and why they are collecting it. These efforts alone will increase their maturity in data handling and system design.
As data breaches become more common, utilizing these improved processes can only be a good thing when the companies we entrust with our information have to follow stricter rules. If you would like more information about GDPR, or if you need help understanding the complexity of the compliance – visit http://www.americancsm.com/.
Want to test your knowledge of GDPR? Take the survey below!
Stay tuned for more privacy and compliance content from Janelle Hsia in the coming weeks!