The General Data Protection Regulation (GDPR) that went live on 5/25/2018 led to a great deal of discussion.You may think it does not affect you, but read on.
GDPR affects any organization, anywhere, processing personal data of people who are in the EU or targeting the EU marketplace. Personal data includes HR information, customers, business contacts, behavioral information such as that obtained from visiting a website, and IT network and traffic and communication logs. “Anywhere” mentioned above applies to someone from the EU visiting your website and filling out a form.
The GDPR took the 28 implementations of the EU’s 1995 Data Protection Directive and combined them into a single, updated data protection regulation across all EU member states. The goal of GDPR is to give EU citizens control over their personal data and change the data privacy approach of organizations across the world. The GDPR equips member states to enforce this regulation by each nation’s data protection authorities (DPAs). The GDPR also imposes strict penalties on organizations that fail to comply.
Authorities may impose fines at different levels under the GDPR:
- For violations of most technical rules, up to 2% of the global annual turnover or €10 million, whichever is higher.
- For violations of the basic principles, and under aggravating circumstances, such as failure to comply with DPA’s instructions, repeat violations, or unauthorized international data transfers, a higher penalty of 4% of the global annual turnover or €20 million, whichever is higher, can be levied.
While the GDPR regulation is 200 pages long, here are some key items:
- Explicit consent must be granted to collect any personal data.
- Individuals have a right to download their personal data and to request that their data be forgotten, meaning they can ask for their data to be deleted.
- Organizations must report certain data breach types to relevant authorities within 72 hours, unless the breach is considered harmless and poses no risk to individual data.
- A Data Protection Officer (DPO) must be appointed if you are a public company or process large amounts of personal information.
Essentially the GDPR makes sure businesses can not spam people by sending emails they didn’t ask for, nor sell someone’s data without explicit consent. Businesses have to delete user accounts and unsubscribe them from email lists upon request. Businesses have to report data breaches and be better about data protection. Sounds pretty good, in theory at least. Among the many unanswered questions is, will the USA implement something similar?
Does this affect you? Possibly. We have seen many organizations being proactive in their marketing, including emails, web sites, and social media. You may have seen recent communications related to protecting your data.
If you are concerned about this new regulation and its impact, reach out to K&A Tech Services for more information.
Comments are closed.