It’s not business as usual anymore, at least when it comes to privacy and data protection.
The way businesses worldwide collect, process and store the personal data of consumers and clients—everything from their names, email addresses, social media posts, locations, IP addresses, banking information and more—all changes when the General Data Protection Regulation (GDPR) took effect May 25.
Any company that offers goods or services in the European Union (EU), no matter what size business, must comply with the new regulations. Charities and nonprofit entities that collect information from people in the EU must also adhere to the GDPR. Even businesses considering expanding into the EU are required to comply, even before business operations begin.
The key elements affecting businesses include consent and accountability, notification of a data breach and the right to be forgotten. Since 1995, the EU has been regulating the transfer of data, but the GDPR has tightened regulations by expanding the types of data defined as “sensitive,” requiring even more protection. In addition, the GDPR now addresses the “psuedonymisation” or depersonalization of data and defines how that must occur in order to avoid liability.
Businesses must be transparent in their use of data and obtain consent to use their consumers’ data. Individuals also have the right to withdraw their consent at any time. In addition, separate and specific consent must be obtained for each different action for which a company wants to use an individuals’ data, including sharing data with third parties.
Any data collected by a business must have a time-stamped audit trail and include what the individual opted into and how. Third-party vendors or service providers that access a company’s data must also adhere to the new regulations.
Security is essential under the GDPR, as it was under the prior data privacy paradigm. Controllers of data must put appropriate security measures in place to protect the data they hold. If personal data is breached, businesses are required to notify their customers within 72 hours of when the business becomes aware of it.
Despite the impending deadline, only 36 percent of surveyed executives said they will be fully compliant with GDPR by the enforcement date, according to an IBM report released May 16. However, 59 percent of those surveyed see the GDPR as an occasion for transformation or “a spark for new data-led business models.” This is a huge concern, because fines for non-compliance, even for failing to provide adequate notice to individuals, are hefty.
Non-compliance with GDPR will have huge consequences, including suspension of data processing and serious fines. The new rules indicate that fines of up to 4 percent of a company’s annual global turnover or nearly $25 million, whichever is greater.
For customers and clients, the GDPR is a way for consumers to maintain more control over their personal data. It gives them the right to know whether, where and why their personal data is being used.
Businesses must comply with consumers who want their personal data permanently erased (also known as the “right to be forgotten”) and stopped from being disseminated further. They can object to it being used for marketing purposes.
Businesses must restrict the information they collect to the least that is required to achieve their business goals. They must also dispose of outdated information.
The GDPR replaces the Data Protection Direction 95/46/EC, which was considered prohibitive to digital advances in business.
Businesses should contact a commercial law attorney for further explanation and to ensure GDPR compliance.