In 2018, the media was dominated by news regarding GDPR, reporting all the necessary requirements for compliance and outing the companies missing the mark. However, just what exactly is GDPR? And why does it matter? Here’s everything you need to know about the latest and arguably the largest data regulation to date, and how it’s important to you and your business.
What is GDPR?
The General Data Protection Regulation (GDPR) is an EU regulation that aims to ensure protection and privacy for consumers and their personal data across all 28 EU member countries. Essentially, GDPR requirements are a baseline set of standards for companies to adhere to when dealing with consumers’ personal data. Of the 11 chapters and 91 articles, we’ve broken down the most important articles and their privacy and data protection requirements below:
- Storage Limitation
GDPR requires limitations on the process of collecting data, with companies allowed to collect only the data that’s necessary and not hold on to personal data once it’s fulfilled its purpose.
This article puts power into the hands of the consumer. Data subjects now need to provide consent for companies processing and collecting their data.
- Data Breach Notifications
Articles 31 & 32
GDPR requires notification of data breaches within 72 hours of the breach, along with disclosure of the breach to all affected data subjects.
GDPR requires a company to anonymize its collected data to safeguard privacy.
- Appointment of a Data Protection Officer
Articles 35, 36 & 37
Data Protection Officers (DPOs) are appointed when a company processes a significant amount of personal data.
When did it come into effect?
GDPR went into effect May 25, 2018, and many businesses began taking a hard look at their policies and procedures to ensure compliance. This regulation replaces the 1995 Data Protection Directive, an outdated regulation that failed to address the myriad of ways that consumers’ data is stored, collected, and transferred today.
How can companies ensure compliance? And what happens if they don’t?
GDPR leaves much up to interpretation, and is a largely broad rule that provides little detail. This new regulation states that companies not adhering to these rules can be subject to a fine by the U.K.’s Information Commissioner’s Office (ICO).
And these are fines are huge. We’ve already started to see the giant financial implications of companies failing to meet GDPR’s standards, such as British Airways’ £183 million pound fine (approximately $230 million US dollars) for compromising the customer records of 500,000 people. Marriott was also slapped with a substantial fee, with the ICO imposing a $123 million penalty for losing 339 million guest records. These two penalties are the largest fines to date under GDPR, and companies looking to avoid the same fate should quickly shape up.
What does it mean for the U.S.?
GDPR applies to all companies and organizations handling and processing an EU resident’s personal data, regardless of location. This means that virtually any organization will be held to GDPR compliance requirements, even if they don’t have a presence in the EU.
Okay, but what does all this mean for me and my data?
Essentially, under GDPR you as a data subject are given greater control over your personal data and what’s done with it. You can transfer your data between service providers with your “right to portability” and even direct a controller to erase your data given the circumstances under your “right to erasure.” You have the right to ask a company what information they hold about you, and what they plan on doing with it. Overall, companies are now being held responsible if they expose your data, and you have GDPR to thank for ensuring that your information is kept safe and secure.