General Data Protection Regulation. GDPR.
Over the last week or so, you’ve likely been privy to all the discussion around privacy. Whether it was regarding Facebook, other social media websites, or the European Union’s General Data Protection Regulation (GDPR), which went into effect last Friday, May 25, 2018. For that reason, I want to update you and make sure you know your rights.
It is too early to know how the new regulation will actually be interpreted. That being said, there are a few things I know for sure, based on my actual reading of the EU law. Without question, the actual law is VERY lengthy. But, if you are someone like me who likes to get my legal information from the source, or from someone with real accurate info, not from some internet person who has just regurgitated what they read, without understanding it, here is a link.
What does the GDPR say?
An overriding theme of the GDPR is that people should have control of their own personal data. Further, they should have the right to have their data erased/deleted or its use restricted.
Who Qualifies Under the GDPR?
Generally, anyone in a European Union member state, which includes the United Kingdom. If you reside in an EU member state and offer goods and services to others in an EU member state, then you must comply with the regulation. Also, if you are anywhere in the world and are engaged in offering goods or services to residents of members states, in the regulation called data subjects, then the GDPR applies to you. That means anyone in the US doing business with, marketing to, collecting information from a European Union data subject must comply with the GDPR.
There are some exceptions to activities that qualify. Among them is if you process personal data in the course of a purely personal or household activity. The catch here is if your personal or household activity includes commercial activity, then the rile applies.
What Businesses Should Know:
In short, here are the main areas of focus and things you must do to be deemed in compliance:
- Privacy policies – first and foremost, privacy policies MUST be updated, including new information relating to individual’s rights. And, that is only the beginning…
- Accountability – if you qualify under the GDPR, it’s imperative that you keep documentation demonstrating that you are complying with the law.
- Greater Individual Rights – new rights addressing access, when and how an individual can object, data portability, and what happens in the event of a breach.
- Data Protection Officers (DPOs) – in many instances, you might consider appointing a Data Protection Officer DPOs, someone who is solely responsible for ensuring compliance, and the GoTo person in the event of a problem.
- Consent – new rules apply, regarding the collection of data, e.g., consent must be express and explicit.
- Breach notification – new rules regarding data breach reporting apply, and if a breach is discovered, the breaching party has 72-hours (subject to certain conditions) to notify the individuals impacted.
Takeaways and Things You Should do Immediately:
- Review your privacy notices and policies. Consider hiring a competent lawyer who understands privacy and the GDPR requirements. Listen to non-lawyers, espousing legal info about the GDPR, at your peril.
- Prepare/update the data security breach plan. You must have a plan!
- Audit your consents—how are you gaining consent. Are you in compliance?
- Develop a framework for holding yourself accountable – monitor processes, procedures, TRAIN YOUR STAFF.
- Appoint a DPO, of possible.
- Take this seriously. The penalties for non-compliance are stiff!