A GDPR Primer: What You Need to Know
The General Data Protection Plan, known by GDPR, is new legislation that defines data protection standards and laws across the European Union. This regulation effectively repeals the Directive 95/46/EC.
Consistency is the goal for the GDPR; the legislation imposes a uniform security data law on all EU members, therefore removing most of the need for each member state to write its own data protection laws.
The complexity of the GDPR has left organizations that do business with the EU scrambling to identify exactly how they can comply with its strict data security standards while also recognizing what effect compliance has on their overall digital business initiatives. Let’s take a look a quick look into to the GDPR.
(Stay tuned for part 2 of this blog series where we’ll take a deeper dive into the law itself and what technology can best lead or supplement your compliance strategy.)
- GDPR takes effect May 25, 2018. This gives companies roughly 18 months from today to ensure they’ll remain – or become – compliant.
- Companies that fail to achieve GDPR compliance before the deadline will be subject to stiff penalties and fines (see below).
- Extra-territoriality (especially relevant to ecommerce) Any company that markets goods or services to EU residents, regardless of its location, is subject to the regulation. As a result, GDPR will have an impact on data protection requirements globally.
- GDPR impacts every entity that holds or uses European personal data both inside and outside of Europe, regardless of a physical EU office location.
Broadened Scope of ‘Personal Data’
- All direct and indirect identifiers
The GDPR makes clear that the concept of personal data includes online identifiers and location data – meaning that the legal definition of personal data now puts beyond any doubt that IP addresses, mobile device IDs and the like are all personal and must be protected accordingly. This means that these types of data will now be subject to fairness, lawfulness, security, data export and other data protection requirements just like every other type of ‘ordinary’ personal data. (via Field Fischer Law)
- Adds biometric and genetic data
The GDPR introduces specific definitions of “genetic data” (e.g. an individual’s gene sequence) and “biometric data” (i.e. fingerprints, facial recognition, retinal scans etc.). Genetic data and biometric data are both treated as sensitive personal data under the GDPR, affording them enhanced protections and generally necessitating individuals’ explicit consent where these data are to be processed. Large scale processing of genetic data and biometric data (and, indeed, any other category of sensitive personal data) will trigger a requirement for controllers to undertake a data protection impact assessment to identify potential risks involved in processing this data and measures taken to ensure compliance. (via Field Fischer Law)
- Personal Data now includes behavioral-derived and self-identified data
“Monitoring” specifically includes the tracking of individuals online to create profiles, including where this is used to take decisions to analyze/predict personal preferences, behaviours and attitudes. (via Bird & Bird LLP)
- Stringent data security and 72-hr breach notification
- Data Controller and Data Processors now liable for breaches. (Get a data breach plan together)
Increased Cost of Non-Compliance
- Fines of up to 4% of annual turnover or 20M Euros
- As the law will undoubtedly evolve, so will the potential for fines. This will make dynamic, central management of your data very important.
Stay tuned for Part 2 of the GDPR blog series, where we’ll look at what you need to know before mapping your compliance strategy and what technology can best lead or supplement your plan.