General Data Protection Regulation (GDPR) has emerged as a global standard for the security and compliance community. The European Commission launched GDPR in 2016 to protect the personally identifiable information (PII) of European Union (EU) citizens. As most modern companies are global, protecting personally identifiable information of customers and employees has become a business priority and requirement.
Under GDPR, the scope of PII is broad. Any information by itself or in combination with other information that can identify an individual or natural person is considered personal identifiable information. PII identifiers can span from a simple name to sensitive personal information like race or political views. Here are some examples of identifiers:
Information that leads to the identity of an individual is considered PII. It can be confusing as certain information might seem harmless at first glance. It is necessary to pay attention to the provision that says information “by itself or in combination with other information.” For example, a user’s employment position “vice president” might not make the person identifiable as many vice presidents exist worldwide. Similarly, a user’s company name, “Acme Corp,” might not lead to a real person as the company might have hundreds or thousands of employees. But combining the two pieces of information can lead to a recognizable individual. Any PII data usage requires consent from the user. A goal of GDPR is to prevent algorithmic discrimination or profiling (GDPR article 22) through data transparency. So, it is important to protect all user data as potential PII.
GDPR’s main objective is to protect the data security and personal information of EU citizens, regardless of their current residence. In GDPR terminology, the natural person whose PII needs to be protected is called a data subject.
GDPR standard applies to any company operating in the EU or any non-EU company storing and processing EU citizens’ PII data from anywhere in the world. A business that stores and processes PII data is either a data controller or data processor.
Organizations that determine the “why and how” of data are considered data controllers, while organizations that process personal data on behalf of data controllers are called data processors. Data controllers have more responsibilities under the GDPR mandate. If your business collects data from users, you are a data controller. However, if your business model is to help other companies maintain their data, then you are a data processor.
Your business needs to adapt and change processes to comply with GDPR requirements. It might take some rethinking of your current organizational practices. At first, the task might seem overwhelming. The following suggestions might help:
Get Educated: Read the GDPR documentation to get first-hand knowledge of the requirements. Talk to industry experts and other companies to understand how other businesses protect PII data.
Evaluate Data Collection, Processing, and Storing Practices: GDPR has particular rules about how an organization should handle personal data. According to the regulation, you need user consent to collect data. Users have the right to transport, modify, or delete their data from your systems. To protect data security, you will have to implement encryption, anonymization, and pseudonymization, among others. So, on an organizational level, you will have to evaluate and update your systems to collect, process, and store data according to GDPR standards. Every organization is exposed to internal and external risks of information leakage, filtration, and loss. GDPR-compliance mitigates such risks.
Appoint a Data Protection Officer (DPO): All companies, regardless of size, must have someone responsible for data protection to monitor the legal and technical issues of GDPR. In GDPR, the accountable person is called a data protection officer (DPO). GDPR also has a provision for data protection authority (DPA) on the national level. Each EU and non-EU member country that the European Commission has recognized under GDPR has a DPA. DPAs are responsible for policing businesses and organizations in local jurisdictions. When DPAs contact your company to check compliance, your DPO will be the main point of contact.
Be Ready for Data Breach Reporting: GDPR has stringent rules for data breaches. Organizations have to report breaches to local DPA within 72-hours. Businesses might also have to inform the affected users depending on the personal data accessed. The 72-hour time period is short. So, you need a process to follow data breach protocols.
Work With GDPR-Compliant Third Parties: When you outsource work to a third party, you are considered the data controller, and the third party is regarded as a data processor. Under GDPR, the final responsibility falls on the data controller or company that outsources any process or service. So, it is crucial to review the GDPR-compliance policies of any third-party company you employ. Ensure your contract stipulates the responsibilities and obligations of the third party so that you can stay in compliance. Also, the benefit of working with compliant parties is that they can share knowledge, experience, and expertise about GDPR to help your business.
The price of GDPR non-compliance is high. A less severe violation can lead to €10 million, or 2% of the global turnover of the previous year, whichever is higher. A significant infringement can lead to €20 million, or 4% of the previous year’s worldwide turnover, whichever is higher. In 2020, the French DPA fined Google €100 million and Amazon €35 million for tracking cookies without user consent. So, businesses of all sizes need to take GDPR seriously.
Furthermore, non-EU countries or states are defining their own privacy acts and laws using GDPR as a model. For example, California Consumer Privacy Act (CCPA) became effective on January 1, 2020. The rules are similar to GDPR, but they are intended to protect the personal data information of California residents.
If California were a country, it would be the sixth-largest economy globally. So, California adopting GDPR-like regulations through CCPA has a far-reaching effect on the business community. However, most GDPR-inspired regulations like CCPA are less stringent than GDPR. If you align your organization with GDPR, you have a 99% chance of complying with the rest of the local regulations.
You want to follow the GDPR rules to avoid legal, financial, and reputational troubles. However, GDPR is also beneficial for the expansion of local and international businesses. Even though GDPR is intended to protect the consumer’s PII, it also protects your business by forcing you to improve your security practices.
If you want to start your GDPR journey, please feel free to contact Flugel. We have years of experience helping small businesses and large enterprises with security and compliance. Our experts can help you start your GDPR journey today.
2018, Cryptoland Theme by Artureanec - Ninetheme