The General Data Protection Regulation (“GDPR”) is a European Union (“EU”) law, but it’s going to have a big impact on American businesses that collect and process personal data of EU individuals.
While American companies may be familiar with its predecessor, the Data Protection Directive through the Privacy Shield and Model Clause programs, the GDPR has several new requirements for how data must be handled. It also creates new rights for EU individuals (also known as “data subjects” under the GDPR) that organizations must be ready to address.
The GDPR is already in effect and enforcement will begin on May 25, 2018, so there’s still time to get up to speed on its requirements and ensure your enterprise is compliant. Please note that this blog post does not constitute legal advice, and we’re providing it for informational purposes only. For legal advice, be sure to work with your organization’s own legal team.
Understanding how the GDPR will affect you
Let’s make this clear: even if your headquarters and all of your data is located in the US, the GDPR still applies to you if you have EU customers and handle personal data about EU individuals. There is no need to move data into the EU in order to be compliant.
You should also be aware that not all data handlers are treated equally under the GDPR. Some are considered data controllers, who may have obligations notify an EU representative in the event of a data breach that results in the disclosure of personal data about EU individuals. Others are data processors who handle data at the direction of controllers. And while data processors may do more with the data, the controllers bear shared responsibilities for ensuring that they and the processors they share personal data with are compliant with the GDPR.
Furthermore, the GDPR doesn’t treat all data equally. While its definition of personal data is expansive enough to cover things like geolocation data, it also recognizes that data can be anonymized or pseudonymized. By using these methods to filter personal data, you can reduce the impact that the GDPR has on your business.
In short, now is the time to audit your data and figure out how you’re using it and where it’s stored (but more on that next).
New requirements of the GDPR
The GDPR creates strict data breach notification policies. Where previous privacy frameworks only required notification of data breaches, the GDPR gives covered entities just 72 hours to notify their supervisory authority in the EU after discovery of a breach that results in a risk to individuals’ rights. Therefore, organizations should implement and test incident response plans and include their legal and communications teams in those tests in order to be prepared to meet this short timeline.
EU individuals are also given multiple new rights to control the use of their personal data. This includes stronger requirements for opting in to the use of data collection for marketing and other purposes. Pre-ticked boxes or opt-out (instead of opt-in) for marketing are no longer allowed, requiring IT teams to coordinate with internal Sales and Marketing teams to ensure proper consent is being collected before email addresses are used.
Next, the GDPR creates additional new rights for the data subject: the right to erasure (also known as the right to be forgotten) and the right to data portability, and right to rectification. The right to erasure requires that the organization delete personal data on the subject upon request if it is no longer needed or the subject withdraws consent. The right to portability requires that personal data is supplied in a commonly used format, if the subject makes a request for a copy of his or her data. This is so that it can be easily transferred into another data processing system. The right to rectification allows a data subject to require an organization to correct any inaccurate data it may have about the data subject
For even more details on the new regulation, download Okta’s GDPR White Paper.
How to prepare for compliance
One common misconception is that GDPR requires companies to move the personal data for all EU individuals back into the EU. In fact, the GDPR is the opposite – it helps enforce a framework under which companies can move data across borders safely and legally. By creating a more uniform data privacy standard across the EU, it streamlines your organization’s ability to operate to a global audience. The broad definition of personal data also provides IT organizations with a strong baseline which with to define and audit the use and storage of PII.
In addition to auditing their organization’s data in order to be best-positioned to stay compliant, IT managers need to coordinate with their legal team to understand the impact of the GDPR on their business. Legal teams can advise you, or assist with finding a resource familiar with the GDPR.
Organizations should also determine whether their contracts with customers and vendors should be updated, in order to properly and clearly describe the parties’ respective rights and obligations under the GDPR. In all likelihood, your organization’s legal team would be driving those processes.
Finally, depending on the nature of your business model and the manner by which consent is obtained to use EU individuals’ personal data, your organization may need to update its consent and disclosure boxes, privacy policies, and other notifications to end users and site visitors, to ensure that they are able to properly provide consent to the use of their personal data.
The GDPR is one of the most expansive pieces of privacy legislation in history. That’s ultimately a good thing for users and enterprises, but it also comes with a new set of challenges. Thankfully, there’s still time to prepare for this regulation before its enforcement date. And there are partners like Okta who are at the ready to help.
Looking for more ways to approach the GDPR from a legal and IT perspective? We’ve compiled some tips on that as well.