As the global focus on data security continues to intensify, the European Union (EU) is in the process of implementing broad-ranging data security and privacy measures that are certain to have an impact on any business doing work overseas or companies handling EU resident information. This new regulation is formally known as “Regulation (EU) 2016/679” of the European Parliament and the Council, but more often termed the General Data Protection Regulation (GDPR) which took effect at the end of May 2018.
The primary purpose of GDPR is to define standardized data protection laws for all EU residents for all member countries. Its objectives are as follows:
- To increase privacy and extend data rights for EU residents
- To help EU residents understand personal data use
- To give regulatory authorities greater powers to take action against organizations that breach the new data protection regulations
- To address the export of personal data outside of the EU
- To require every new business process that uses EU personal data to abide by the GDPR data protection regulations and Privacy by Design rule
The last two items, in particular, show that any company or organization holding EU resident information and/or doing business in or with any of the 28 EU member states need to be prepared for the new data privacy standards. The GDPR rules apply to sensitive data which uniquely identifies a specific individual. This includes categories such as email, genetic information, IP address, and biometric data—along with driver’s licenses and other types of personal information. As such, under GDPR, the definition of personal data has been both broadened and simplified to “any information relating to an identified or identifiable person.”
Even though you are a business in the United States, and not in Europe—strong penalties exist for companies doing business with EU nations that are not in compliance. Although precedent for non-compliance has yet to be set, it is likely coming very soon. And rather than be at risk for non-compliance penalties, adherence to this new set of regulations is essential.
Here are some of the key attributes of GDPR with which businesses and organizations should be aware.
One set of rules—A single set of data protection rules will apply to all EU member states. GDPR will apply to all companies that process personal data of EU residents, regardless of their location.
“Right to be forgotten”—This is also known as Right to Erasure. EU residents will have the right to request that personal data relating to them is erased. This is an enormous change from previous regulations.
“Right to access”—Data subjects will have the right to obtain confirmation from the data controller whether or not personal data concerning them has been processed, regardless of where it has been processed or for what purpose.
Mandatory notifications—Data breach notifications will become mandatory in all EU member states, if the data breach is likely to “result in risk pertaining to the rights and freedoms of individuals.” GDPR identifies notification without delay and where feasible within 72 hours.
New consent rules—Consent rules are changing, and opt-in requirements for obtaining personal data are much stricter.
“Privacy by design”—GDPR calls for the inclusion of data protection from the onset of the designing of systems, instead of just being added at a later date.
Data Protection Impact Assessments—Data controllers and data processors will be required to conduct data protection risk impact assessments for projects that have high privacy risks.
Notifications no longer mandatory—Under GDPR, it will no longer be necessary for data controllers to submit notifications/registrations of data processing activities to local data protection officers.
Accountability Principle—The new Accountability Principle in Article 5(2) requires demonstrating compliance with the GDPR principles, and states explicitly that this is each company/organization’s responsibility.
Naturally this is a lot of change for U.S.-based companies to digest. But taking the time now to become familiar with these new regulations and to adapt to them should leave companies and organizations well-positioned for compliance and protection in the future. These new rules are something that simply cannot, and should not, be avoided….they actual make good sense and protect a person’s privacy.
Jeffrey I. Ziplow, MBA, CISA, CGEIT, is a partner with BlumShapiro, the largest regional business advisory firm based in New England, with offices in Connecticut, Massachusetts and Rhode Island. The firm, with a team of over 500, offers a diversity of services, which include auditing, accounting, tax and business advisory services. Blum serves a wide range of privately held companies, government and non-profit organizations and provides non-audit services for publicly traded companies. To learn more visit us at blumshapiro.com.