On May 25, 2018, the European Union’s (EU’s) new General Data Protection Regulation (GDPR) goes into effect, and it will affect businesses all over the world—whether they’re ready or not.
A basic part of being prepared for any new regulation is to know a few key things about it. So, to help you be better prepared for the new EU data protection regulation and its impacts, here’s a short list of some things that you should know about it:
The EU General Data Protection Regulation affects ALL corporate entities that handle or process the data of any EU citizen—regardless of where the corporation and the data in question are located. Even if your business is considered “small” or has a not-for-profit designation, if you handle an EU citizen’s data, GDPR’s rules will apply to your business.
Because of this, it’s important to make sure that you’re compliant with GDPR—especially if you’re in the hospitality, travel, software services, or e-commerce industries, which frequently serve clients who are traveling abroad or shop online. As noted in one Forbes article on the subject, “any U.S. company that has identified a market in an EU country and has localized Web content should review their Web operations.”
Within GDPR, the document’s drafters frequently refer to “data subjects,” who are the people whose data are being processed. Within the Regulation, there are numerous rights granted to data subjects. If these rights are abridged by your business, it could lead to fines.
Some key rights include:
It doesn’t matter whether the data you process comes via online surveys, in-person customer interactions, form fills on your website, or a carrier pigeon—the rules of GDPR will apply to all the data you collect about your customers.
The text of the Regulation explicitly states that, “to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used.” So, even if the data you store is in hard copy form, it’s still protected under GDPR.
If you’re an “intermediary service provider,” meaning that you don’t:
Then, your business shouldn’t fall under GDPR. Instead, you’ll fall under a different regulation called Directive 2000/31/EC. However, to make sure this is the case, I would strongly recommend that you consult with a lawyer specializing in business or telecom laws.
By default, “data processors” (that’s you and your business), are required to only process the personal data of a data subject that is required for a specific task. Basically, it means you can’t just go around sharing all of a person’s data with everyone an unlimited number of times.
For example, if you’re processing data for a purchase transaction, only the bare minimum of data for that transaction should be collected and used—such as the minimum payment card info required to process the transaction. Other data, such as common personally identifiable information (PII) like social security numbers—which would be overkill for establishing the payer’s identity—are off-limits.
Limiting the data being transmitted has the side benefit of limiting your (and your customer’s) exposure to risk if the transaction data is ever intercepted or otherwise compromised. Less data stored or transmitted means less damage done.
If a breach does occur—something that seems inevitable in the modern threat environment—GDPR’s requirements state that the business notifies any affected persons “without undue delay.” The wording on this is vague, but a good rule of thumb is to reach out to anyone whose data may have been stolen as soon as you know that their data was put at risk.
Additionally, under GDPR, businesses have 72 hours from when the breach is detected to notify “the relevant supervisory authority.” If you have a set incident response plan (IRP), this should give you plenty of time to investigate the breach and its cause before you contact the authorities—who you should contact as part of your IRP anyways. The more information you can give the authorities about the breach, the better off you’ll be since it will help their investigation.
The above list compiles just a few of the things that businesses need to know about the EU’s new Regulation. Is your business prepared for GDPR? Check out our free guide to GDPR at the link below, or contact us for more information about how to get your cybersecurity architecture prepared for the launch of the new rule from the EU.