As we approach the May 25th deadline for the implementation of the EU’s General Data Protection Regulation (GDPR) it is important to know what this is, what it covers, and how it affects companies outside of the European Union.
What does it cover?
The GDPR requires businesses to protect the personal data belonging to European citizens, as well as regulates the exportation of data to entities outside of the EU. The regulation does not differentiate between types of information, so data such as IP addresses and cookie data are as important as names and social security numbers.
Who needs to be in compliance?
The GDPR is a European Union regulation, so any companies inside the EU, or that conduct business inside the EU, need to be in compliance. This also includes any companies that have data of any European citizens, so large companies and social networks may also be affected, even if they don’t have a European presence.
Any company that handles data is responsible for that data under this regulation. This means that any outsourced data handlers, such as payroll providers, also need to be in compliance with the GDPR.
Why the new regulation?
This regulation replaces the Data Protection Directive of 1995. This directive is incredibly outdated, as there was very little online transactions and personal data collection taking place over the internet in the 1990s. Given the current age of online shopping, social networks, and online services collecting and processing information related to individuals, a replacement for the directive was needed. And with the rise of cyberattacks against companies, consumers are especially concerned about the storage of their personal information.
What do companies need to do to be in compliance?
There is an in-depth checklist available that addresses the compliance needs for data controllers and data processors. Some of the key factors include:
- Customers must be able to easily view, modify, and request deletion of their personal data
- Customers can object to profiling or automated decision making based on their data
- Privacy policies must be written in a way that is clear and understandable to the average user
- Company must automatically delete data that the business no longer has any use for
- Customers can easily request that their data be transferred to themselves or a third party
- Must ask consent before processing a person’s information
If you require any consulting about whether your company or organization needs to be in compliance, or want to discuss how to become compliant, please schedule a consultation with us!