Enforcement of the EU General Data Protection Regulation (GDPR) applies to any company that transacts with European Union citizens. Here’s your GDPR go-to guide.
Joel Benavides, Senior Director Global Legal and Advocacy at cloud data host Box, explains how the General Data Protection Regulation will impact cloud-stored data.
Through the power of information technology, any enterprise that sells products or provides services via the internet is technically a global business. Regardless of whether your organization is a one-person operation selling novelty T-shirts or a Fortune 100 company providing sophisticated cloud computing solutions, you are likely to have customers residing outside your country of origin. In general, this is considered a good thing.
However, with that global reach comes certain responsibilities, some of which are codified in laws and regulations with specific, and potentially costly, consequences. For example, the European Union (EU) is enforcing a new set of regulations designed to protect the data security and the privacy of its citizens. Enforcement of the General Data Protection Regulation (GDPR) went into effect May 25, 2018, and will be applicable to all EU citizens and any business entity that transacts with them, regardless of the location of the business.
Put simply, if you have a customer from an EU country and you collect any data from that customer as a result of a business transaction, you are subject to the rules and regulations of the GDPR. There are no exceptions for enterprise size or scope, which means any business with an internet presence is potentially subject to this law.
This cheat sheet explains what the GDPR is and how its provisions impact enterprises and their IT infrastructure.
SEE: EU General Data Protection Regulation (GDPR) policy (Tech Pro Research)
- What is the GDPR? The GDPR codifies and unifies data privacy laws across all European Union member countries.
- Why does the GDPR matter? Penalties for non-compliance with the provisions of the GDPR regarding collecting and using personal data are potentially devastating.
- Who does the GDPR affect? The GDPR is applicable to any business collecting personal data from a citizen of the EU.
- What are key provisions of the GDPR? Personal data is defined as any information related to a natural person that can be used to directly or indirectly identify that person.
- When did the GDPR go into effect? Enforcement of the GDPR went into effect May 25, 2018.
- How can I learn more about the GDPR? The provisions of the GDPR are publicly viewable from the EU.
What is the GDPR?
The EU GDPR replaces the Data Protection Directive 95/46/EC. The GDPR codifies and unifies the data privacy laws across all the EU member countries and is applicable to any citizen of the European Union and, most importantly, for any company doing business with a citizen of the EU. Specifically, the extended jurisdiction of the GDPR states clearly that it applies to all companies processing the personal data of subjects residing in the Union, regardless of the company’s location.
The provisions of the GDPR for keeping the personal data of customers secure and regarding the legal collection and use of that data by businesses is straightforward and basic common sense, but the penalties laid out for violations are significant. Enterprises found to be in violation of the provisions of the GDPR can be fined up to 4% of annual global turnover or 20 Million Euros, whichever is greater.
SEE: GDPR security pack: Policies to protect data and achieve compliance (Tech Pro Research)
Why does the GDPR matter?
Any enterprise that collects data from customers is potentially subject to the provisions of the GDPR, and therefore is also subject to the penalties associated with non-compliance. The penalties for non-compliance can be steep, so every enterprise should know and incorporate strict compliance with the GDPR into their business practices and procedures before enforcement becomes active.
As of May 2019, approximately one year since GDPR enforcement went into effect, European data protection authorities confirm that almost 90,000 separate data breach notifications have been received. Note, that’s just the notifications received from organizations attempting to comply with the GDPR. Those same data protection authorities report that during the same period almost 145,000 complaints and inquiries have been reported by concerned citizens.
During the GDPR’s first year of enforcement, some 100 organizations have paid fines for failing to fully comply with the regulation. Most noteworthy, in January 2019, Google was fined 50 million euros by French authorities for collecting personal data from users without providing an adequate level of transparency on how that data would be used to personalize advertisements on the platform.
Who does the GDPR affect?
Collecting and accepting personal information from any citizen of the EU will invoke the GDPR, regardless of your enterprise’s country of origin. For all intents and purposes, if your enterprise has a presence on the internet in the form of a website and if your enterprise collects personal data from customers regardless of where those customers are located, it is subject to the provisions of the GDPR. As a hedge against liability, this essentially means the GDPR applies to every public-facing enterprise.
The fines levied by the European data protection authorities during the first year of GDPR enforcement expose two undeniable facts: The GDPR applies to every business collecting, storing, and processing sensitive personal data, and European authorities are willing and able to enforce its provisions with fines and penalties.
When did the GDPR take effect?
Enforcement of the GDPR went into effect May 25, 2018.
What are key provisions of the GDPR?
The GDPR defines personal data as any information related to a natural person (data subject) that can be used to directly or indirectly identify that person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or even a computer IP address.
Under such a broad definition, enterprises must take documented steps to limit access to all personal data to only authorized and credentialed employees with job roles that specifically require access to that data. Security breaches from lack enforcement of security protocols will be met with stiff fines and financial penalties under the GDPR.
The GDPR also establishes specific rights with regard to data subjects. To comply with the GDPR, these codified rights must be acknowledged and implemented by all companies collecting personal data on EU citizens.
The GDPR specifically prohibits the use of long, convoluted terms and condition statements, particularly statements that contain legalese. Any request for consent, declaration of terms, or statement of privacy must be presented clearly and concisely, and without any ambiguity of meaning. Furthermore, it must be as easy to withdraw consent as it is to give it.
The GDP also makes it crystal clear that businesses and organizations handling private or sensitive data must ask for consent and permission each and every time they access the data. Under the regulations, companies cannot ask for permission to access private data once and then consider that access to cover all future transactions. Under the GDPR, there is no such thing as a continuous blanket consent; each time data is used for a new purpose a new request for consent is required.
Compliance with the GDPR requires companies to notify all data subjects that a security breach has occurred within 72 hours of first discovering it. The method of this notification will include as many forms as deemed necessary to disseminate the information in a timely manner, including email, telephone message, and public announcement.
Right to access
The GDPR requires companies to provide, at the data subject’s request, confirmation as to whether personal data pertaining to them is being processed, where it is being processed, and for what purpose. Companies must also be able to provide, free of charge, a copy of the personal data being processed in an electronic format.
Right to be forgotten
Under the GDPR, companies will erase all personal data when asked to do so by the data subject. At that point, the company will cease further dissemination of the data, and halt all processing. Valid conditions for erasure include situations where the data is no longer relevant, or the original purpose has been satisfied, or merely a data subject’s subsequent withdrawal of consent.
The GDPR requires companies to provide mechanisms for a data subject to receive any previously provided personal data in a commonly used and machine-readable format. Under this provision, the data subject also has the right to request the company transmit the data to another processor, free of charge.
Privacy by Design
Compliant companies must follow Privacy by Design principles and implement appropriate technical and organizational measures in an effective way to meet the requirements of the GDPR and protect the rights of data subjects. In practical terms, this provision means that companies will process only the data absolutely necessary for the completion of its business and limit access to personal data to only those employees needing the information to complete the process consented to by the data subject.
Data Protection Officers
Large enterprises wishing to comply with the GDPR will maintain thorough and comprehensive records pertaining to the collection, processing, and storage of personal data. In addition, these enterprises will designate a Data Protection Officer (DPO) to oversee the application of the GDPR and to protect personal data from misuse and unauthorized access and other security breaches. If an enterprise meets the criteria, a designated DPO is a requirement, not an option.
Unfortunately for enterprises the world over, the specific criteria for when an enterprise is required to designate a DPO is still in flux. A general rule of thumb to follow, based on the EU Commission’s writings on the topic, is that a DPO is required for any enterprise with over 250 employees or for any enterprise processing the personal data of over 5,000 data subjects in any 12-month period.
SEE: Hiring kit: GDPR data protection compliance officer (Tech Pro Research)
Penalties for noncompliance with the GDPR
Penalties for failing to comply with the provisions of the GDPR can be severe and carry significant risk of liability for any company. The maximum assessable penalty for noncompliance with the GDPR is 4% of the annual global revenue generated by the company. The maximum penalty will be imposed on organizations failing to acquire sufficient customer consent to process data or for violating the Privacy by Design concept.
Other violations are assessed on a tiered basis depending on the infraction. For example, a company can be fined 2% for not having its records in order, not notifying the supervising authority and the data subject about a security breach in a timely manner, or for not conducting a required impact assessment of a security breach.
How can I learn more about the GDPR?
A complete version of the EU General Data Protection Regulation, formatted for easy reading, is available, and every enterprise that collects personal data from customers should become familiar with its provisions.
Editor’s note: This article was first published in August 2017, and it was most recently updated in May 2019.