A new data protection law is being implemented on May 25, 2018 called the General Data Protection Regulation (GDPR). GDPR is an overhaul of the existing European Commission data protection legislations and is said to strengthen and unify data protection for individuals within the EU, while addressing the export of personal data outside the EU. GDPR applies to any organizations/entities that offer goods or services to, or monitor the behavior of, EU data subjects. Any company processing and holding the personal data of data subjects residing in the EU, regardless of the company’s location, is affected. For example, GDPR will affect European and non-European businesses using online advertising and measurement solutions when their sites and apps are accessed by users in the European Economic Area (EEA).
GDPR’s major regulation is on the issue of consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Explicit consent is required only when sensitive personal data is being processed (in this context, nothing short of “opt in” will suffice). However, for non-sensitive data, “unambiguous” consent will continue to suffice.
Then what constitutes personal data? Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person is personal data. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
The penalties for non-compliance to the GDPR can result in organizations being fined up to 4% annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements (e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts). There is a tiered approach to fines. For example, a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subjects about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors – meaning ‘clouds’ will not be exempt from GDPR enforcement (examples of ‘clouds’: dropbox, google drive, etc.).
Overall, if your business/organization, in some way or form, has any contact with someone in the EEA, you must make sure you are in compliance with GDPR. For more information, and if you are concerned about whether your business needs to go forward with GDPR compliance measures, please contact us and we would be happy do discuss the specifics of your situation and you will need to go forward with GDPR compliance measures.
For more information see https://www.eugdpr.org/gdpr-faqs.html