Personal user data is defined by the GDPR as web forms, cookies, user preferences, etc. The fundamental change is that companies that provide third party services, such has cloud hosting, will be held jointly liable for data breaches by the GDPR “which will affect technology service providers in particular.”
Key changes to EU data protection introduced by the GDPR
More rigorous requirements for obtaining consent for collecting personal data.
Raising the age of consent for collecting an individual’s data from 13 to 16 years old.
Requiring a company to delete data if it is no longer used for the purpose it was collected.
Requiring a company to delete data if the individual revokes consent for the company to hold the data.
Requiring companies to notify the EU government of data breaches within 72 hours of learning about the breach.
Establishing a single national office for monitoring and handling complaints brought under the GDPR.
Firms handling significant amounts of sensitive data or monitoring the behavior of many consumers will be required to appoint a data protection officer.
Fines up to €20m or 4% of a company’s global revenue for its non-compliance.
The GDPR can be broken down into three categories reflected in the regulation
Compliance journey
- Requires entities to map and classify all their personal data
- Performs risk assessments
- Designs privacy protections into all new business operations and practices
- Employs dedicated data protection officers
- Monitors and audits compliance
- Documents everything they do with data and everything they do to achieve legal compliance.
Transparency framework
- How entities deal with contracts (language in contracts of third parties)
- How entities provision users and their permissions and privileges to see user data
- How they communicate full user information concerning personal data
- Breach notification to users and regulators.
Enforcement (Sanctions and Remedies)
- Regulator will have authority to levy extensive fines
- “Right to be forgotten”
- “Right to data portability”
- Right to access their data
- Right to end use of their data
EU Citizen or EU resident’s personal data that flows out of the EU to non-EU jurisdictions will be highly discouraged.
What is the Impact on US Businesses?
Does your organization have an office in the EU?
Do you have servers or “cloud” in a non-EU jurisdiction that contains EU Citizen or EU resident personal data?
This law does indeed apply to organizations based outside the EU, too, like the
United States, Canada or China. 3
EU-GDPR applies to data ‘controllers’ and ‘processors’
Does your organization employ more than 250 employees? What personal data of European residents do you collect and how do you process it? I recommend an information audit of any system that might collate or process personal data of European subjects.
Sources:
http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1497261922341&uri=CELEX:32016R0679
http://www.computerweekly.com/news/4500270456/EU-data-protection-rules-affect-everyone-say-legal-experts
https://tbgsecurity.com/eu-gdpr-demystified-a-straight-forward-guide-for-us-firms-part-1/