What is the GDPR and who does it affect?
As of late there has been quit alot of mention about the "GDPR" across business, technology and government articles, mentioning how the GDPR will turn the tech world and all things consumer information on it's head.
But what does that actually mean? It's important to know what the GDPR is and how it will affect us on the daily, moving forward.
So, the basics, what is GDPR and what does it stand for?
GDPR stands for The General Data Protection Regulation, and is an answer that has been in the making for seven years and will come into effect across the European Union on May 25th.
This new data privacy law give people stronger voices and control over their personal data and forces companies to make sure the data they collect, process and store is safe from outside hands.
This regulation was conceived with the hopes that companies will change the way they think about data, so that it is perceived more valuable and treated in such a way. The stem idea is "privacy by default".
Who is affected by the GDPR?
Any form of organization that stores or uses data on people involved in the European Union is affected by these regulations, no matter where they are based.
This means even if your company doesn't have direct relations with Europe, but you support a business that has customers inside the EU, you will also be subject to these new rules.
A good example would be a call center that handles customer services for companies that sells products in Europe, or a website that tracks browsing history, both would be affected by the GDPR regulations.
Now it may seem pretty simple on the surface, however it has large impacts seeing as data is everything these days. The cost to comply with these new regulations is quit significant, so much that it is estimated that Fortune Global 500 companies spent roughly 7.8$ billion to prepare for the new rules.
So what's it all mean?
So what does this mean for our data and companies that collect it?
Well companies can still collect data on consumers, however they now need to prove that they have a "lawful basis" for such actions.
This could come in the form of a contract or legal obligation that allows them do collect the data.
Another way around this would be to gain consent from each customer to store and process personal data. These requests need to be clear and concise so there is no room for ambiguity or confusion.
Another form of acceptable data collection would come in the form of public interest/safety, for example the police gathering information on a wanted or suspected criminal.
And of course along those same lines, hospitals may request and collect personal data for the purpose of saving lives, especially when a patient is unconscious and unable to obtain the necessary medical information from the person directly.
What do companies have to do in order to comply with these new regulations?
Businesses will have to pay for stronger security of personal data and won't be able to hold personal data indefinitely anymore. Due to these new regulations there will be a significantly stronger backlash on the leaking of personal data, which we saw a lot of this past year.
Along with restrictions on retaining personal data, now anybody has the power to ask for their personal information to be deleted from a company's servers. The only exception to this would come in the form of law enforcement purposes, or if a service is requested that requires the data to accomplish.
Businesses will now be required to inform of any security breaches within a 72 hour window if discovering the breach. This was a huge issue in 2017 when businesses tried to go as long as they could without informing their customers of a breach involving personal data.
Companies will now also at times have to prove that their use of data is properly handled, meaning increased monitoring and documentation and possibly hiring data protection officers.
Why is this happening?
The GDPR was formed to expand and evolve the rules that were placed in 1995 when the internet really started to boom, and data started to really flow. We have been using rules and regulations that were outdated and inapplicable in some instances, causing confusion and problems, and on some occasions abuse if data.
The European Union has stated that the new rules are necessary to protect consumers in an era of large scale cyber attacks and data leaks.
So what happens if a company does not comply with the new rules?
Huge financial penalties.
European regulators are able to fine companies up to 4% of annual global sales, which could spell billions for bug tech firms. Penalties for smaller firms would have a cap of $23.5 million.
Keep up to date on your technology and it's vulnerabilities and solutions with RE2Tech. We make I.T. easy!
What do you think about the GDPR?
Give us a call or send us an email for all your I.T needs! We at Re2tech make I.T. happen!