What is GDPR?
General Data Protection Regulation (GDPR) is one of the most important changes in data privacy regulation in 20 years, replacing the previous Data Protection Directive (Directive 95/46/EC), released in 1995. GDPR is a regulation from the European Parliament, the Council of the European Union and the European Commission intended to unify and strengthen data protection for all individuals within the European Union (EU).GDPR becomes effective May 25, 2018. Organizations that fail to comply will be subject to heavy fines.
The Scope of GDPR
GDPR applies to organizations inside the EU and those organizations outside the EU that offer products or services that require maintenance or processing of personal data of EU residents, regardless of where that company resides. Personal data includes, but is not limited to, a photo, email address, bank details, an IP address, social media data and medical information.
GDPR and You: Individuals’ Rights Under the Regulation
The proliferation of the internet, e-commerce and electronic data storage has elevated concerns about the collection of individuals’ personal data and how it's collected, stored and used. It’s important to know your rights under these new regulations.
- Right to Access – The consumer has the right to request their data and ask how it’s being used.
- Right to Be Forgotten – The consumer has the right to have information/accounts deleted.
- Right to Data Portability – Individuals have the right to move their data from one service provider to another.
- Right to Be Informed – Consumers have the right to know if their personal data is being collected.
- Right to Have Information Corrected – Consumers can have their data updated or corrected if it’s out of date or incorrect.
- Right to Restrict Processing – Consumers can request that their data not be used for processing.
- Right to Object – Individuals have the rights to stop the processing of their data for marketing purposes.
- Right to Be Notified – Consumers have the right to know, within 72 hours, their data has been breached.
For example, under GDPR, if Facebook collects your data, you have the right to know that they are collecting your data, what specific information is collected and how it’s used. If you want to delete your Facebook account, they’re required to comply by deleting your account and the information collected from it. Should Facebook experience a data breach, they are required to inform you within 72 hours of discovering the breach. These rights are regulated under GDPR and affect EU users specifically. U.S. laws are slightly different.
GDPR vs U.S. Data Protection Regulations
Unlike the EU data privacy laws, privacy laws in the U.S. are “sectoral,” meaning they’re industry-specific. Presently, there is no single regulatory order or statute that stipulates data privacy for everyone. Here are some key differences between GDPR and U.S. Data Protection Regulation:
- The U.S. defines a data breach, as “unauthorized access or acquisition” while GDPR defines it as “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.” The U.S. has a lower, less strict threshold.
- GDPR requires companies that have experienced a data breach to document the details surrounding the breach and take remedial steps to prevent a reoccurrence. The U.S. doesn’t require this type of response to a data breach.
- S. laws specify what companies should and shouldn’t include in data breach notification letters. However, GDPR requires a detailed list of who has been affected, the name of the company’s data protection officer, consequences for those affected and measures taken to reduce the effects on individuals.
- The U.S. standard requires impacted users receive notification within five to 30 days of a data breach. The GDPR standard is 72 hours.
While there are other differences between the two regional data privacy approaches, these seem to be the most significant in terms of protecting the data of consumers and users.
Steps to Help You Become GDPR Compliant
GDPR compliance is very complex and requires consideration of many factors, including your location, who your customers are, what user data you collect, how and where you store that data, and what you do with it. You should consult with legal counsel on how to best comply with GDPR. In the meantime, here are some fundamental steps you can take to prepare in advance of the May 25 implementation date.
- Appoint a (DPO) Data Protection Officer. This person should be someone who has a legal understanding of the regulatory requirements to determine what your company needs to do to be compliant.
- Create a process for the handling and disposing of your company’s data:
- Identify its origin, your responsibilities upon receiving and who has access while it resides with your company.
- Decide what data your company needs to keep. Discard data no longer needed. This will ensure that unnecessary information is properly disposed of without further risk of access.
- Determine how the individuals' rights listed above are addressed under the new GDPR guidelines.
- Establish a data breach response plan that includes protocols for notifying individuals and authorities in the event of a breach.
Tech Data partners with a host of vendors that offer products and services to help your business become GDPR compliant. We have security experts who can help. For questions regarding the new regulation, contact us at firstname.lastname@example.org or at 800- 237-8931, ext. 73246.