General Data Protection Regulations, more commonly referred to as GDPR, is a legal framework that sets guidelines for the collection and processing of personal information from citizens of the European Union (EU). Since the Regulation applies regardless of where websites are based, it must be heeded by all sites that attract European visitors, even if they don’t specifically market goods or services to EU residents.
The GDPR mandates that EU visitors be given a number of data disclosures. The site must also take steps to facilitate such EU consumer rights as a timely notification in the event of personal data being breached. Adopted in April 2016, the Regulation came into full effect in May 2018, after a two-year transition period.
According to a recent Forbes article, to be prepared for GDRP, there are 3 common areas to focus on.
- Build a Data Breach Incident Response Plan: The biggest sign of readiness is having a data breach plan or incident response plan in place. While most companies have some form of a plan in place, they will need to review, amend, and update it, ensuring full compliance with GDPR requirements.
This is only half the battle. You better be prepared to enact it when a data breach occurs. Testing these plans is essential, otherwise, how will you know if its actually ideal? The GDPR requires that companies report breaches within 72 hours, or 3 days. How well the data response team is able to implement the plan and minimize any damage will affect how much a company is fined and/or penalized.
- Hiring A Data Protection Officer (DPO): The GDPR requires that a data protection officer (DPO) be appointed and hired. However, it doesn’t address whether it needs to actually be a discrete position, so presumably, a company could name an officer who already has a similar role to that position, so long as they are able to show their protection of personally identifiable information (PII), with no conflict of interest. GDPR allows for the DPO to work for multiple organizations, lending support for a “virtual DPO” as an option.
- Create a Record or Log of Risks and Compliance Progress: Now that the clock has ticked its last tock, companies better have an updated record as to its progress made over the past two years, showing its identification of all its risks and measures taking in attempts of minimizing or eliminating those risks. This record, or Record of Processing Activities (“RoPA”), is required in Article 30 of GDPR, focusing on the inventory of risky applications and programs that may be operating.
The fear of manipulation, alteration, and fraud are still issues to be addressed. In the era of blockchain, having a log stored that’s stored on the blockchain that is unable to be manipulated or altered could prove extremely useful for companies moving forward.
How Does This Affect the US?
When it comes to US businesses, the GDPR requirements will force them to change the way they process, store, and protect customers’ personal data. Companies must provide a “reasonable” level of data protection and privacy to its customers, ensuring its storage only upon the individual consent by those customers and no longer than absolutely necessary for which the data is processed. However, the regulation doesn’t define what “reasonable” means in terms of ensuring compliance, so this could present future complications when incidents occur and whether or not an organization took enough steps to ensure minimal damage.
Upon request, companies must erase personal data—unlike the Cambridge Analytica and Facebook data breach that is still unfolding. The right to be forgotten is a powerful right and a right we as citizens are all entitled to. However, GDPR doesn’t supersede any current legal requirement where an organization is required to maintain certain data, like HIPAA requirements.