Today, we find ourselves in a hyper growth global economy. This kind of growth requires that businesses handle large amounts of customer data. Emerging at a parallel rate is the need for modern legislation to help businesses understand how to protect consumers. In response, the European Union (EU) has developed the General Data Protection Regulation (GDPR).
What is the GDPR?
The GDPR is a set of European data protection laws intended to offer guidelines to businesses for protecting customer data and offer extra protections for consumers when it comes to identifying information. Intended to replace the outdated data protection laws put in place in 1995, the GDPR was adopted in April of 2016. After an extensive two-year development process, the law will finally be instituted on May 25, 2018.
What kind of data is protected under the GDPR?
The new data protection regulation will require that businesses go the extra mile to protect customer data. This data includes any information that can be used in the identification of an individual.
The GDPR protects information such as:
- Bank details
- Cookies collected from a digital visit
- DNA data
- Email addresses
- IP addresses
- Medical information
- Name
- Photo
- Social media posts
Basically, if it can be used to identify a person, it must be protected.
What does the GDPR mean for U.S. businesses?
If you conduct business with any citizen of the EU, your business will fall under the purview of the GDPR. This includes any businesses that operate in the Cloud. The GDPR protects any citizen of the EU, regardless of where that customer does business or where the company is physically located. For example, if your business is located in the United States but you sell to European citizens on any level, you will need to comply with GDPR as well as PCI standards.
According to the EUGDPR website, any company which conducts business with a citizen of the EU must be prepared for changes regarding:
- How you approach data transparency: Businesses must be able to supply information to their customers which describes how and where their personal data is being processed and what purpose it serves. This information must be supplied to customers in a digital format and free of charge.
- How you oversee data protection procedures: Businesses involved heavily in the processing of large amounts of customer data or those that deal with a special category of data will have to appoint a Data Protection Officers (DPO) to oversee all data protection policies and practices.
- How you make data portable: This requires that businesses supply consumers with their data and allow them to give it to another company.
- How you gain consumer consent: Consumer consent must be given before any identifying information can be used or processed in any way. Any form requesting consent must be easy to understand and locate. The new data protection laws will require that consent for customer information be written in comprehensible language, meaning there should be no jargon or attempts to confuse with legal terminology. In addition, it must be easy for customers to withdraw that consent at any time.
- How you deal with data after you no longer need it for processing transactions: The GDPR grants citizens the right to “be forgotten.” This requires that businesses erase any data at the request of customers that isn’t relevant to the initial processing intent.
- How you deal with consumer privacy: The new GDPR regulations insist that privacy measures be integrated into the design of your infrastructure, rather than added on. This may mean that some businesses will be required to overhaul existing technology to meet the privacy mandates.
- How you handle data breaches: Businesses will have 72 hours to notify customers of a data breach under the GDPR.
- What you can be fined and penalized for: Under the GDPR, a business found to be in violation can be fined up to 4 percent of “annual global turnover” or 20 million Euros, whichever amount is the highest. For minor infractions, a business may be fined less.
While the new GDPR will offer expanded protections for consumers, it may require that you make significant changes to your processes and systems in order to comply.