In January 2012, the European Commission set out plans for data protection reform across the European Union (EU) in order to make Europe ‘fit the digital age’. Nearly four years later, in 2016, the General Data Protection Regulation (GDPR) was approved to replace the outdated data protection directive from 1995. At its core, GDPR is a new set of rules designed to give citizens more control over their data. It aims to simplify the regulatory environment for citizens and businesses to be able to fully benefit from the digital economy. The regulation requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states.
The reforms are designed to reflect the world we’re living in now, and brings laws and obligations across Europe up to speed for the internet-connected age. The current legislation was enacted before the internet and cloud technology created new ways of exploiting data, and the GDPR seeks to address that. Furthermore, the EU wants to give businesses a simpler, clearer legal environment in which to operate, making data protection laws identical throughout the single market. However, compliance will cause some concern as well as new expectations of security teams. Here is a breakdown of everything you need to know about the GDPR.
What is it?
The GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. It will introduce fines for non-compliance and breaches and will give people more say over what companies can do with their data. The GDPR will also make data protection rules more identical and standardized throughout the EU.
However, as it stands, the GDPR leaves a lot for interpretation. The regulation states companies must provide a “reasonable” level of protection for personal data but does not stipulate what constitutes as “reasonable.” By doing so, the GDPR governing body is given leeway when it comes to assessing fines for data breaches and non-compliance.
When will it be applied?
Beginning May 25, 2018, the GDPR will be applied to all EU member states. Since the GDPR being a regulation, and not a directive, the UK is not required to draw up new legislation. Instead, the regulation will apply automatically. However, with the regulation going into effect soon, an article by CSO Online reports that only half of IT security professionals are preparing for the GDPR. Nearly a third said they are not preparing for the impending regulation and 28 percent said they were ignorant of any preparation their company might be doing.
Who will the GDPR affect?
The GDPR will affect any and all companies that store or process personal information about EU citizens within EU states, even if they do not have a business presence within the EU. The criteria companies must meet to have the GDPR applicable to them are:
- A presence in an EU country
- No presence in the EU, but processes personal data of European clients
- More than 250 employees
- Fewer than 250 employees but the company’s data-processing impacts the rights and freedoms of data subject or includes certain types of sensitive personal data.
Essentially, this means all companies in the EU will ultimately be affected by the GDPR. A survey conducted by PwC shows that 92 percent of U.S. companies consider the regulation to be a top data protection priority.
Which individuals will be held responsible for compliance?
Controllers and processors of data will need to abide by the GDPR. Even if these individuals are based outside of the EU, the GDPR will still apply to them so long as they’re dealing with data belonging to EU residents. Three roles that the GDPR defines as responsible for ensuring compliance are data controller, data processor, and the data protection officer (DPO).
The data controller defines methods of processing personal data and enforcing regulations on outside contractors. Data processors will maintain and process personal data records or any outstanding firm that performs all part of those activities. Leaving the DPO to oversee data security strategies and GDPR compliance. However, some public entities such as law enforcement may be exempt from the DPO requirement.
What happens if a company is not in compliance?
There are steep penalties and fines for companies that do not comply with the regulation. If you don’t follow the basic principles for processing data, such as consent, ignore individuals’ rights over their data, or transfer data to another country, the fines could be as much as €20 million (roughly U.S. $27 million) or four percent of global annual turnover, whichever is higher. According to the report by CSO Online, Ovum reports nearly 52 percent of companies believe they will be fined for non-compliance. The report also shows management consulting firm Oliver Wyman predicts the EU could collect as much as $6 billion in fines and penalties within the first year.
What counts as personal data under the GDPR?
The EU has substantially redefined what constitutes as personal data under the new regulation. To reflect the types of data organizations now collect about people, online identifiers such as IP addresses, cookie data, and RFID tags now qualify as personal data. Other data, like economics, cultural or mental health information, are also considered identifiable information. Pseudonymised personal data may also be subject to GDPR rules, depending on the ease in which it is to identify whose data it is. All personal data definitions under the Data Protection Act from 1995 also qualifies as personal data under the GDPR, which are: basic identify information, biometric data, genetic data, racial/ethnic data, political opinions, and sexual orientation.
What should a company do to prepare for the GDPR?
CSO Online provides a list of what companies should do to prepare for the impending GDPR. The article states the following should be considered by all companies who will be affected by the regulation.
- Set a sense of urgency that comes from top management
- Involve all stakeholders
- Conduct risk assessment
- Hire or appoint a DPO
- Create a data protection plan
- Don’t forget about mobile devices
- Create a plan to report your GDPR compliance progress
- Implement measures to mitigate risk
- If your organization is small, ask for help if needed
- Test incident response plans
- Set up a process for ongoing assessment
- Aim to improve your business
To be successful, organizations must proactively roll-out comprehensive strategies and leverage technology, such as advanced analytics and prevention tools. Discovery analytic and machine learning tools will not only rapidly search, identify, categorize and tag relevant documents but it will also discover and analyze patterns and contextual themes. However, despite all these challenges, many ad tech executives and legal counsels believe the GDPR will create opportunities for quality data and better data management. They believe that regulation will lead to consolidation in the ad tech space, as media buyers feel pressure to cut vendors that are not GDPR-compliant.