Understanding the New EU General Data Protection Regulation

On May 25, 2018, the European Union’s (EU’s) new General Data Protection Regulation (GDPR) goes into effect, and it will affect businesses all over the world—whether they’re ready or not.

A basic part of being prepared for any new regulation is to know a few key things about it. So, to help you be better prepared for the new EU data protection regulation and its impacts, here’s a short list of some things that you should know about it:

1) Who GDPR Affects

The EU General Data Protection Regulation affects ALL corporate entities that handle or process the data of any EU citizen—regardless of where the corporation and the data in question are located. Even if your business is considered “small” or has a not-for-profit designation, if you handle an EU citizen’s data, GDPR’s rules will apply to your business.

Because of this, it’s important to make sure that you’re compliant with GDPR—especially if you’re in the hospitality, travel, software services, or e-commerce industries, which frequently serve clients who are traveling abroad or shop online. As noted in one Forbes article on the subject, “any U.S. company that has identified a market in an EU country and has localized Web content should review their Web operations.”

2) The Rights of “Data Subjects”

Within GDPR, the document’s drafters frequently refer to “data subjects,” who are the people whose data are being processed. Within the Regulation, there are numerous rights granted to data subjects. If these rights are abridged by your business, it could lead to fines.

Some key rights include:

  • Transparency in Communicating Rights. Like how an officer has to read a suspect’s Miranda rights during an arrest, your company has to make it clear to data subjects what their rights are.

  • Data Collection Notifications. Whenever you collect or don’t collect someone’s data, you have to provide a notification.

  • The Right to Be Forgotten. Data subjects must be given the option to opt out of data collection and be “forgotten” by businesses.

  • Portability/Accessibility of Information. Data subjects must be allowed free access to the data you store about them.

  • The Right to Object. Compliance with GDPR means giving everyone a chance to object to having their personal data processed. If they opt out, you have to cease and desist as soon as possible—unless you have a compelling reason for doing so that overrides the interests/rights of the data subject.

3) The Medium of the Data Doesn’t Matter

It doesn’t matter whether the data you process comes via online surveys, in-person customer interactions, form fills on your website, or a carrier pigeon—the rules of GDPR will apply to all the data you collect about your customers.

The text of the Regulation explicitly states that, “to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used.” So, even if the data you store is in hard copy form, it’s still protected under GDPR.

4) Liabilities for “Intermediary Service Providers”

If you’re an “intermediary service provider,” meaning that you don’t:

  1. Initiate data transmission;
  2. Select a transmission’s receiver; or
  3. Select or modify information within a transmission;

Then, your business shouldn’t fall under GDPR. Instead, you’ll fall under a different regulation called Directive 2000/31/EC. However, to make sure this is the case, I would strongly recommend that you consult with a lawyer specializing in business or telecom laws.

5) Limitations on the Data You Can Process

By default, “data processors” (that’s you and your business), are required to only process the personal data of a data subject that is required for a specific task. Basically, it means you can’t just go around sharing all of a person’s data with everyone an unlimited number of times.

For example, if you’re processing data for a purchase transaction, only the bare minimum of data for that transaction should be collected and used—such as the minimum payment card info required to process the transaction. Other data, such as common personally identifiable information (PII) like social security numbers—which would be overkill for establishing the payer’s identity—are off-limits.

Limiting the data being transmitted has the side benefit of limiting your (and your customer’s) exposure to risk if the transaction data is ever intercepted or otherwise compromised. Less data stored or transmitted means less damage done.

6) Notification Requirements of GDPR

If a breach does occur—something that seems inevitable in the modern threat environment—GDPR’s requirements state that the business notifies any affected persons “without undue delay.” The wording on this is vague, but a good rule of thumb is to reach out to anyone whose data may have been stolen as soon as you know that their data was put at risk.

Additionally, under GDPR, businesses have 72 hours from when the breach is detected to notify “the relevant supervisory authority.” If you have a set incident response plan (IRP), this should give you plenty of time to investigate the breach and its cause before you contact the authorities—who you should contact as part of your IRP anyways. The more information you can give the authorities about the breach, the better off you’ll be since it will help their investigation.

The above list compiles just a few of the things that businesses need to know about the EU’s new Regulation. Is your business prepared for GDPR? Check out our free guide to GDPR at the link below, or contact us for more information about how to get your cybersecurity architecture prepared for the launch of the new rule from the EU.