Is GDPR for dummies? The onslaught of new regulations can seem daunting, especially if you’re in an industry where multiple policies need to be met. But in a world where data breaches, account takeovers and other abuses are far too common, it’s clear something must be done to ensure big companies are taking adequate steps to protect sensitive personal data. The EU General Data Protection Regulation (GDPR) outlines how companies must take care of personal information, and is regarded as the strongest data protection policy in the world. But what does that mean for you?
For companies that do business within the EU, GDPR compliance is a must. Failing to meet thesenew standards can result in hefty fines. A “lower level” fine may reach up to €10 million, or 2% of the prior financial year’s worldwide annual revenue – whichever is greater. For the “upper level,” companies in violation of GDPR may be fined up to $20 million, or 4% of their worldwide annual revenue — again, whichever is greater.
These fines are no small potatoes. Achieving GDPR compliance can seem like an insurmountable task, but the truth is even “dummies” can understand the core concepts of GDPR.
GDPR: What new regulations do, for “dummies”
The goals of GDPR are to “harmonize” data protection standards in the European Union, while also giving better protection and more rights to individuals. Since the launch of GDPR in May 2018, there has been substantial confusion about who needs to be GDPR compliant. Recent survey data indicates 91 percent of American businesses don’t have a good understanding of GDPR, and another 84 percent don’t understand what GDPR means for their business.
In short: If your company operates or serves customers in the EU, GDPR compliance is essential – even if your company isn’t based in Europe. It affects businesses of every size; whether you’re a one-man crew or have 100 employees makes no difference. Even charities that collect personal information will be required to adhere to GDPR standards. If your company fell under the EU’s prior regulation, the Data Protection Act, there’s a good chance it will also fall under GDPR.
Under GDPR, companies will be required to better secure personal information and sensitive personal information. In the full text, there are 99 articles describing the responsibilities of companies included in the policy, along with the rights granted to individuals.
What GDPR regulations include
The advent of GDPR is going to change the way many businesses operate. Essentially, GDPR regulates not just how you collect and store personal information, but why you’re collecting it. This is big because until now, many large companies have been freely collecting user data.What GDPR does is demand that businesses have an explicit reason for gathering personal information from their users – and it holds them accountable for data protection.
Under GDPR, individuals will also have a set of eight rights that businesses must uphold. In addition to telling users why their data is being collected and how long it will be stored for, businesses must comply with a number of user demands. If an individual wants their data deleted, companies must do so. Users also have the right to object if their data is being used for certain purposes, such as direct marketing.
In the event of a data breach, companies must report the incident within 72 hours to and must also keep record of any and all breaches. The Information Comissioner’s Office is tasked with monitoring compliance.
GDPR: Breaking down the details
Companies that have more than 250 employees will need to document why they are collecting and processing personal information. Basically, the EU wants to make sure your company is justified in its data collection. There are six legal justifications for data collection in the EU.
Each of these justifications has its own set of sub-rules that businesses must follow. Consumers must also be made aware of why you’re collecting data before its gathered.
These businesses will also need to include descriptions of the data being stored and for how long, as well as descriptions of what security measures they’re taking to safeguard that information.
Companies that process lots of sensitive information or that deal in “regular and systemic monitoring” of people will also need to have employees dedicated specifically to data protection.
Under GDPR, organizations must keep personal data secure, and are required to conduct regular testing to ensure their security measures are up to snuff. Security is expected to be a key part of the design process for businesses, rather than a bandaid that can be applied later.
The legislation mandates that companies have a “a high level of protection of personal data, and that “personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorized access to or use of personal data.” But, GDPR does not outline what steps companies should take to meet these requirements.
For example, GDPR doesn’t mention user authentication requirements – however, it’s reasonable to assume that a strong password policy is going to be necessary, given that most companies use passwords of some kind for preventing unauthorized access. While GDPR may be expansive, even “dummies” can see its security regulations are pretty vague.
Basically, if you serve the EU in some capacity, you’ll need to ensure your data protection policies are strong, while also making sure your data collection practices are easily understood by consumers. Transparency and responsibility are the cornerstones of GDPR.