The major data breach of Facebook user information recently, revealed to the world just how important data protection regulations are for protecting personal privacy. And governments are taking notice.
While PCI (Payment Card Industry Data Standard) created by credit card companies has been around for a while, that regulation is aimed at protecting credit card payment information but doesn’t particularly address other types of personal user data.
The General Data Protection Regulation (GDPR) does. And every company doing business in the European Union (EU) needs to understand it to ensure they’re in compliance and don’t get hit with hefty penalties.
Businesses collecting all types of data on citizens in EU countries need to follow strict new rules as of May 25, 2018.
Why the new push toward protecting user data? These statistics from MEF’s 4th annual Consumer Trust Study shed some light on that:
- 69% of those surveyed said it was important or extremely important to know that an app or service is using their personal data.
- 70% of people said it was extremely important that an app or service delete their personal data when they request it and they were worried it might be shared without permission.
- People are becoming increasingly concerned. In 2017, 3% of people said they were happy to share personal information (50% less than the prior year).
Part of how The Modern Workplace helps businesses stay up to date with their technology is training their staff on data security and new regulations that may impact them.
In this article, we’ll give you an overview of the new GDPR rules and how they’ll impact anyone doing business within the EU.
What is the General Data Protection Regulation?
The GDPR didn’t just come out of the blue after recent data breaches. It was first approved and adopted by the EU Parliament back in April of 2016 and had a two-year transition period built in. It’s in full force as of May of 2018, which is why it’s important for anyone doing business in EU countries to know what it means for their company.
The EU itself states that it’s the most important change in 20 years for data privacy regulation.
GDPR lays out several new rights for people, “data subjects,” whose data is being collected. These include:
It’s mandatory in all EU member states that notification of a data breach which is likely to “result in a risk for the rights and freedoms of individuals” be done within 72 hours after the company is aware.
This means companies can no longer delay a breach notification while they’re sorting out how it happened.
No more long, unreadable terms and conditions that only a lawyer can make sense of. Data subject consent to collect their data must be in an intelligible and easily accessible form. And the purpose of the data collection must be clear.
Opting out of data collection must be as easy as opting in.
Data subjects have a right to receive their personal data in a “commonly used and machine-readable format.” Additionally, they can transmit their data to another data controller if they wish.
Data Protection Officers (DPOs)
Data controllers have been required to notify processing activities with local DPAs, but now that’s changed. Instead, there are internal record keeping requirements and DPO appointment only mandatory for certain controllers and processors.
Privacy by Design
Most businesses already have safeguards built-in to their data collection, storage, and transmission processes, but GDPR makes it a legal requirement. Data protections must be included in a system from the onset, not as an add-on later, and access to personal data must be limited.
Right to Access
Under GDPR, data subjects have a right to obtain a confirmation from the company controlling the data as to whether or not personal data is being processed. They also have a right to know where and for what purpose their data is being used.
Companies collecting personal data must give requestors a copy of their data in electronic format, free of charge.
Right to Be Forgotten
If someone no longer wants their data collected or used, they have the right to request data erasure. Companies do have the ability to compare the subjects’ rights to “the public interest in the availability of the data” when they receive a request for data deletion.
What Type of User Data is Covered by GPDR?
The data that is protected by GPDR might be more than you think. It covers data related to a natural person that can be used directly or indirectly to identify that person.
This can include, but is not limited to:
- Email address
- Bank details
- Social media posts
- Medical information
- Computer IP address
The penalties for non-compliance with GDPR can be pretty steep. Organisations can be fined up to 4% of their annual global turnover for a GDPR breech, or up to €20 million. Fines are applied both to data controllers and data processors, so cloud-based services are not exempt.
Fines are on a tiered system. For example, a company can be fined 2% for not notifying data subjects of a breach according to the 72-hour timeframe. More serious infringements include not having sufficient customer consent to process their data.
Other Data Protection Laws
Another new data protection law that came into effect on February 22, 2018 pertains to Australian businesses. The Notifiable Data Breaches (NDB) scheme requires organisations that have a data breach to notify those whose personal details were compromised within 30 days. That notification must include steps they can take in response to the breach.
Stay On Top of Data Privacy Regulations with The Modern Workplace
The Modern Workplace can help your company ensure you’re in compliance with any pertinent data security regulations, no matter where you do business. Contact us today to schedule cybersecurity training or a review of your procedures. Call 1300 795 105, we’re happy to help!