GDPR is the acronym for Europe’s “General Data Protection Regulation” which is the toughest set of personal privacy regulations in the world. You can see from the GDPR Timeline on the right that companies have had about 3 years to get their systems into compliance, and it comes into full force in May 2018.
Below are the top ten things all companies and people need know about GDPR:
1: Does GDPR Apply To Me?
GDPR applies only to:
- CITIZENS of the EU
- However, many global companies, including Facebook have announced that they will meet GDPR standards for ALL their users globally:
- COMPANIES that touch EU citizen data, regardless of the country they operate in, because most countries have reciprocal enforcement arrangements with the EU.
The only real exceptions are:
- rogue states like North Korea and Russia that do not have reciprocal arrangements with the EU
- the smallest companies that only do not have any contact with European personal data or staff
It you have a single citizen of the EU on staff, OR your firm touches EU citizen data in any way, OR you have a single staffer stationed in Europe, GDPR applies to your company.
2: Do EU Citizens Now Have the RIGHT to Understand Why Data Is Being Collected?
Yes, the legislation calls EU citizens “data subjects” and they must now be told WHY the data is being collected. Article 12 states:
“…relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language…”
It goes so far as to say that companies can no longer bury consent in long “End User License Agreements” (EULA’s) that almost no one reads. GDPR Article 7 is titled Conditions For Consent and states:
“If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.”
3: What Data Can Companies Collect / Process Under GDPR?
If a company collects or works on (“processes” in the GDPR vernacular) data on EU citizens, it must have an explicit business purpose for doing so. The days of Radio Shack requesting all your personal contact information just so you can buy a no-name AAA battery in their store are over.
4: How Long Can a Company Keep My Data?
Personal data on EU citizens must be deleted (without request) as soon as the ORIGINAL business use for collecting that data is complete. The act does not explicitly state a maximum period of time data can be maintained, instead is says:
This is the fifth data protection principle. In practice, it means that you will need to:
- review the length of time you keep personal data;
- consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it;
- securely delete information that is no longer needed for this purpose or these purposes; and
- update, archive or securely delete information if it goes out of date
5: Do I Have The ‘Right To Be Forgotten” Under GDPR?
Yes, People of the EU have the legal RIGHT to be forgotten, meaning that if a user requests their data be deleted, the company must remove it in a timely fashion. Article 17 of GDPR is titled the “Right To Erasure” and Article 7 gives you the RIGHT to withdraw your consent at anytime thereby requiring the prompt deletion of your personal data:
“The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.”
6: Do ALL Companies Need To Have Someone In Charge of Personal Data Security?
All companies subject to GDPR, regardless of their head office location, must have a “Data Security Officer” (DPO) that reports directly to the CEO so it is a very serious job. Article 39 of GDPR states:
- “… the DPO shall not receive any instructions regarding the performance of her duties”
- The DPO can’t be easily fired “he DPO is appointed for a period between 2 and 5 years, may be reappointed for up to a maximum of 10 years and can be dismissed only with the consent of the European Data Protection Supervisor (EDPS).
- a DPO should not also be a controller of processing activities (for example if she is head of Human resources)
- The idea here is that they need to be separated from the business so they can objectively be responsible for personal data
- DPO’s must “Create a register of processing operations within the institution and notify the EDPS those that present specific risks (so-called prior checks)
7: Do I Have RIGHT To Know About Data Breaches Under GDPR?
Within 72 hours of the breach being identified, data breaches must be reported to both the affected people if it can cause “significant harm” AND to the GDPR regulator
8: Does GDPR Apply To European Business Information?
No, GDPR is B2P (Business to Person) legislation and does not apply to B2B (Business to Business). That does not mean that Company A can transfer EU personal data to Company B for processing, to get around GDPR. In that situation, both companies are liable. Company A is liable for breaches or misuse of personal data for anyone they transfer the data to. Company B is working with EU personal data, regardless of the source of that data, so they are liable to keep the data safe and processed for lawful purposes.
9: Can I Demand Companies Tell Me What Information They Know About Me?
Yes, companies are required to fully disclose and transfer any information they have on a citizen of the EU on demand.
10: Are Companies Required To Continuously Upgrade Their Personal Data Protections?
Under GDPR, there is not ‘set it and forget it’ solution. There is no single thing or list of things that companies must do to protect personal data to be compliant with GDPR. GDPR anticipates technology change and requires companies to continuously upgrade and adapt their personal data protection systems.
11: What Now? I Need a Bit More Information About GDPR:
This Microsoft video provides good overview of GDPR in 20 minutes:
For more information see these sites:
- #8 on THIS list of 2018 scams is fake GDPR claims/fines