GDPR forcing you to rethink how your business handles data? You’re not alone.
What is GDPR?
General Data Protection Regulation is a regulation by which the European Union (EU) government leaders intend to strengthen and unify data protection for all individuals within the EU. By May 25, 2018, all organizations handling, storing or processing EU citizen data are expected to comply with these new regulations. GDPR dictates the procedures and consequences surrounding breaches and notifications.
Here are some key terms you should know:
Controllers are government agencies as well as public and private organizations that collect and process data. They determine how and why it is collected, used, and shared.
Processors are companies or entities that process personal data on a controller’s behalf such as third party IT contractors or cloud providers.
Data Subjects are the individuals whose personal data is processed. They may be clients, employees, or customers.
What do you need to do to comply with GDPR?
• To handle private data, Controllers and Processors must obtain a Data Subject’s explicit permission:
• Consent must be informed, unambiguous, and freely given.
• An individual’s consent can no longer be assumed by default.
• Any consent documentation should be written in plain language and be as easy to revoke as it is to provide.
• Must allow Data Subjects to withdraw consent.
• Data must be erased if the Data Subject withdraws consent:
• Processors and controllers must erase and stop distributing personal data if a data subject requests it.
• When data is no longer relevant to purposes for which it has been collected.
• The data subject withdraws consent, and there are no grounds for processing data without consent.
• The data subject objects to the processing.
• If the data was processed improperly.
• Data Controllers & Processors must allow Data Subjects to request their information:
• Processors and controllers must give data subjects their personal data in an electronic, structured, and commonly used format so that they can then provide it to a third party if they choose.
• Notify authorities of data breaches:
• Processors and controllers must notify data subjects of data breaches that are likely to put their privacy at risk without undue delay.
What happens if you don’t comply?
The penalties can be quite severe if companies fail to comply:
• You could pay fines up to €20 million (approx. 24 million USD) or 4% of your organization’s.
• Data breach victims could file class action lawsuits.
• Potential damage to the company’s brand and subsequent revenue loss.