The GDPR Goes Into Effect In One Week. Is Your Business Ready?
We’ve covered GDPR in previous blog posts and you’ve probably seen references to it from your banking, insurance, and legal partners. If you’re like many people in the US, you still don’t know what GDPR is. We can help.
Super short summary:
GDPR says data about a person belongs to that person. People holding or processing that data are simply caretakers.
If you handle data belonging to EU citizens (customers, employees, students, contractors, dependents):
- You must notify record holders within 72 hours of knowing data was breached
- You need to be able to articulate what data you are storing and where you are storing it
- If a person wants a copy of his/her data, you must provide it
- If a person wants you to delete the data you hold about him/her, you must do so
- Only intake and store data that’s truly necessary. Don’t request or store data you don’t use. Data only should be available to specific employees on a need-to-know basis
- These practices must be in place by May 25, 2018
Do you hold data for EU citizens?
GDPR is a new regulation on the handling of data concerning citizens of the European Union. Many US organizations hold data on EU citizens, and as such are subject to GDPR regulations. Much of GDPR is a good idea. It really changes the game on how we think of data, by defining who owns it. It’s a major shift to say the entity who takes the time to collect and enter the data doesn’t really own it, but is responsible for it. The notion of “being forgotten” has long been a philosophical question in the computing age, but now there’s an answer- and it has teeth. Based on what I’m seeing, GDPR is here to stay, and we will likely see a more refined or watered-down version of it here in the US to better protect American citizens within the next few years. There were hints of looming legislation during April’s Mark Zuckerberg testimony before congress. As one person at Pegasus said, “GDPR is HIPAA on steroids.” As a consumer, I like it. For a business, it can be daunting.
Regardless of GDPR, and if only to establish cyber security defense, it’s critical to understand what data your organization is collecting, where is it stored, who can access it, and when is it purged. It’s worth asking these questions of your key business software vendors, cloud providers, and anywhere you are entering personal information, if for no other reason than to be good stewards of data for all your clients and employees. If you know those answers, you’re in a much better position to resist cyberattack _and_ be GDPR-compliant.
- If you are holding data regarding citizens of the EU, then you are subject to GDPR regulation
- Failing to comply with GDPR regulations can result in fines of 8,000 Euros (just shy of $10,000), levied by the EU
- The deadline for GDPR compliance is May 25, 2018
- Key compliance items include:
- Breach notification within 72 hours of awareness
- Ability for an EU citizen to know what data is being collected, where it is stored, and for what purpose. A copy of this data must be available free of charge to the citizen.
- Copies of a citizen’s data must be electronically portable to another system, meaning the data cannot be exclusively available in proprietary or paper formats
- Right of an EU citizen to “be forgotten” by an organization holding his/her records. In other words, an organization holding records on a citizen must delete them upon request.
- Data should be curated from the moment it’s initially collected, meaning only the minimum amount of data required for operations should be collected, and only personnel who need to access the data should have permissions to access the data
- Certain types of data force the organization to have a Data Protection Officer and register their data processing activities with the data processing authority who has jurisdiction over the organization. This GDPR requirement is perhaps the most challenging to understand since the rule is so new. “DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Art. 37). If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.”
There are all sorts of questions regarding the enforceability of GDPR for US-based organizations, and the interpretations of GDPR haven’t even started yet, so this is uncharted territory. At the same time, the law has excellent intent, so compliance is a good idea, and the consensus is that US-based organizations must comply if they hold data on EU citizens or conduct business in the EU.