The European Union’s new General Data Protection Regulation (GDPR) recently went into effect. The set of rules were created to govern the privacy and security of personal data and were put out by the European Commission. Even though the GDPR is set in Europe, it still has serious implications for a number of companies in the United States.
Who Is Affected?
Regardless of the location of your company, you will be affected by the GDPR if:
You collect personal data or behavioral information from someone located in a EU country
You’re based outside of the EU but provide goods or services to the EU, including free services
You are established within the EU, regardless of where you process and collect personal data (including cloud-based processing performed outside of the EU for an EU-based company)
With that being said, clearly the new regulation will cause a rippling around the world. Now that the facts have been established, it is time to start thinking about compliance if your business will be one of those affected.
What U.S. Companies Need to Know
The GDPR laid out data security principles that are similar to those in the current directive. This includes: fairness, lawfulness, transparency, purpose limitation, data minimization, data quality, security, integrity, and confidentiality. Businesses that are affected by the regulation must ensure that customers’ personal data and information is processed in a manner that is secure, including protection against unauthorized or unlawful processing, and against losses, destruction, or damage. The regulation concludes that a number of measures can be utilized in order to achieve data protection, including encryption.
Important Factors for U.S. Companies
- GDPR has established large fines for non-compliance. A violation, such as poor data security that leads to public exposure of sensitive information, could result in millions or potentially billions of dollars in fines.
- The regulation enforces detailed and demanding breach notification requirements. Companies that are affected here in the U.S. that are used to the regulations set forth in the U.S. may need to adjust their breach notification policies in order to avoid violation.
- GDPR has a stricter definition of consent. Data subjects must first confirm consent through freely given, specific, informed, and straight-forward statement, or clear affirmative action. To put it simply, silence, pre-checked boxes, and inactivity no longer work as consent.
- The regulation broadens what constitutes as personal data, including cookies, IP addresses, and other tracking information.
- GDPR creates the right to be forgotten, meaning that individuals can ask your organization to delete their personal data when they see fit. Companies that do not have this process available will need to develop one.
- GDPR also gives data subjects the right to receive their data in a normal format and also gives them the right to ask that their data be transferred to another control. Again, if a company does not have the process available, they will need to develop one.
- The regulation makes a distinction between data processors and data controllers. The difference being that controllers are liable for the actions of the processors they choose.
- Lastly, the GDPR increases parent consent rights and requirements for children who are under 16 years old.
What Can You Do?
As mentioned earlier, the GDPR specifically mentions encryption as one approach that can help to ensure compliance with many of their requirements. Encryption works to encode information in a way that prevents unauthorized parties from being able to read it and access it. Encryption can help satisfy many of the requirements but is also just an excellent way to boost security and protect confidential information in the event of a data breach or lost device.
U.S. businesses, especially those with a strong web presence, should be paying close attention to this and start changing their practices now. It is better to start early and jump on complying than becoming a headline a few years down the road.