General Data Protection Regulation (GDPR) requirements, deadlines and facts
Following article cited from www.csoonline.com
website
What is the GDPR?
GDPR is a regulation that requires businesses to protect the personal
data and privacy of EU citizens for transactions that occur within EU member
states. The European Parliament adopted the GDPR in April 2016, replacing an
outdated data protection directive from 1995. The GDPR also regulates the
exportation of personal data outside the EU.
And non-compliance could cost companies dearly.
Companies that collect data on citizens in European Union (EU) countries
will need to comply with strict new rules around protecting customer data by
May 25. The General Data Protection Regulation (GDPR) is expected to set a new
standard for consumer rights regarding their data, but companies will be
challenged as they put systems and processes in place to comply.
The GDPR leaves much to interpretation. It says that companies must
provide a “reasonable” level of protection for personal data, for example, but
does not define what constitutes “reasonable.” This gives the GDPR governing
body a lot of leeway when it comes to assessing fines for data breaches and
non-compliance.
Why does the GDPR
exist?
The short answer to that question is public concern over privacy. Europe
in general has long had more stringent rules around how companies use the
personal data of its citizens. The GDPR replaces the EU’s Data Protection
Directive, which went into effect in 1995. This was well before the internet
became the online business hub that it is today. Consequently, the directive is
outdated and does not address many ways in which data is stored, collected and
transferred today.
How real is the public concern over privacy? It is significant and it
grows with every new high-profile data breach. According to the RSA Data
Privacy & Security Report, for which RSA surveyed 7,500 consumers in
France, Germany, Italy, the UK and the U.S., 80 percent of consumers said lost
banking and financial data is a top concern. Lost security information (e.g.,
passwords) and identity information (e.g., passports or driving license) was
cited as a concern of 76 percent of the respondents.
An alarming statistic for companies that deal with consumer data is the
62 percent of the respondents to the RSA report who say they would blame the
company for their lost data in the event of a breach, not the hacker. The
report’s authors concluded that, “As consumers become better informed, they
expect more transparency and responsiveness from the stewards of their data.”
Lack of trust in how companies treat their personal information has led
some consumers to take their own countermeasures. According to the report, 41
percent of the respondents said they intentionally falsify data when signing up
for services online. Security concerns, a wish to avoid unwanted marketing, or
the risk of having their data resold were among their top concerns.
The report also shows that consumers will not easily forgive a company
once a breach exposing their personal data occurs. Seventy-two percent of US
respondents said they would boycott a company that appeared to disregard the
protection of their data. Fifty percent of all respondents said they would be
more likely to shop at a company that could prove it takes data protection
seriously.
“As businesses continue their digital transformations, making greater
use of digital assets, services, and big data, they must also be accountable
for monitoring and protecting that data on a daily basis,” concluded the
report.
What types of privacy
data does the GDPR protect?
· Web data such as location, IP address, cookie data and RFID tags
· Health and genetic data
· Biometric data
· Racial or ethnic data
· Political opinions
· Sexual orientation
Which companies does
the GDPR affect?
Any company that stores or processes personal information about EU
citizens within EU states must comply with the GDPR, even if they do not have a
business presence within the EU. Specific criteria for companies required to
comply are:
· No presence in the EU, but it processes personal data of European residents.
· More than 250 employees.
· Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data. That effectively means almost all companies. A PwC survey showed that 92 percent of U.S. companies consider GDPR a top data protection priority.
When does my company
need to be in compliance?
Companies must be able to show compliance by May 25, 2018.
Read the full article at https://www.csoonline.com/article/3202771/data-protection/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html
REFERENCES
Nadeau, M. (2018). What is the GDPR, its requirements and deadlines?.
[online] CSO Online. Available at:
https://www.csoonline.com/article/3202771/data-protection/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html
[Accessed 10 Mar. 2018].