The law enacted by the European Union known as the General Data Protection Regulation or (GDPR) went into effect in May 2018. The law is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).
It has far reaching effects on how companies collect, protect, and utilize data around the globe. For U.S. based companies there are several key issues to keep in mind. Remember this law extends beyond the E.U., so U.S. firms collecting and processing private data that involves E.U. citizens are liable under the new law. Because the law extends beyond the E.U., it is the first global data protection law.
The first thing to understand about the law is that it expands the definition of personal data. The GDPR defines personal data as, “any data that can be used to identify an individual. That includes genetic, mental, cultural, economic or social information.” ComputerWeekly.com
Another stipulation of the GDPR is that organizations must get clear consent to process collected data. Organizations must explain what personal data they are collecting and how it will be processed and used. They must also ensure that if a breach occurs it is reported to appropriate authorities within 72 hours.
Since the EU law extends globally it is important that U.S. companies prepare now. If businesses do not prepare for the law they could find themselves being fined. The fines are considerable reaching up to 4% of their global annual turnover.
In her blog GDPR for Dummies, Kate Bordwell, takes the very complex rules of the law and turns it into a practical and simple theme. She says the rules can be seen as following six themes.
- Know what you have, and why you have it.
- Manage data in a structured way.
- Know who is responsible for it.
- Encrypt what you wouldn’t want disclosed.
- Design a security aware culture.
- Be prepared… Expect the best but prepare for the worst.
There a few key points to consider when thinking about the ramifications of the GDPR. If your company has a website and you are collecting cookies it is possible that you are collecting and processing Personally Identifiable Information. (PII) Under GDPR you will need to apply the six themes above to that data. It is also key to make sure in the process of collecting and processing data that you document the journey of the data. Consider making data maps as part of your data organization plan.
However, you decide to organize, process, and store your data it is imperative that you document your processes. Documentation will be critical should you encounter a breach.
While many see the new law as a nuisance, it has far reaching implications when it comes to the protection of consumer data. If we see the law as an opportunity to improve the security of our client’s data then we have started to create a culture of security within our organizations. In the end the overall purpose of the law is to provide global protection for consumers. If as a result we begin to create a culture of security we all win.