Most major companies — Facebook, Google, and Twitter, included — use the data they collect from their users to drive the insights that improve their services. Otherwise, they take that data and sell it to a third party as advertising revenue. Recently, the EU passed a new regulation around this practice called General Data Protection Regulation (GDPR) — and any company that works with the EU will need to be compliant with it.
The GDPR is to be enforced in the EU on May 25th 2018 and is the most important change in data privacy regulation in 20 years. It is designed to harmonize data privacy laws across Europe and for all organisations that have data on any EU citizen, thereby making it easier for non-European companies to comply with these regulations.
The new GDPR regulation addresses the export of personal data outside the EU. It aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
It requires that any company that does business either with or in the European Union or the European Economic Area to reveal all the data they plan to collect before they do so. And while that might be good for users, it can be a complicated thing for businesses to navigate.
Now, businesses must tell users what information they want to collect, and what their plans are for that personal data. Any company that fails to meet these requirements will be subject to hefty fines of up to up to 4% of worldwide turnover or €20 million, whichever is higher. That's a disastrous fine for large companies, much less small to medium-sized businesses.
So if your company collects and stores the personal data of EU citizens, the GDPR is relevant to your organization, even if you don’t have a formal presence in the EU zone. If you are marketing, selling, exporting , importing, employing, partnering or dealing with any EU citizen and keeping data of them, this will affect you. This includes information from social media, websites, CRM, employment agreements, partnership agreements etc.
This is a regulation not a directive so national governments are not required to pass any enabling legislation so it is directly binding and applicable and different rules apply if you are a processor or a controller of the data.
But what can you do to make sure you are safe?
In order to make sure your data is GDPR compliant, you will need to understand who is affected, what is required of them as well as the direct effect on the business.
There are many informative websites out there on this including the 100 page regulation and recitals. And of course a good legal and IT team can assist.
Stricter consent rules
The GDPR requires that individuals give unambiguous, informed consent before their data may be processed. Consent cannot be assumed from inaction.
Enhanced rights for data subjects
Individuals have more rights under the GDPR including rights to: have their personal data erased, have inaccurate data corrected, be removed from digital marketing, and request personal data be ported to another service provider.
Data breach notification
Organizations must notify those whose data has been breached, within 72 hours of the breach.
Increased accountability measures
There are a number of new governance requirements for subject organizations, including conducting privacy impact assessments and appointing a data protection officer.
Maximum penalties are €20 million or 4% of annual global revenue, whichever is greater.