No doubt you have been hearing more about GDPR, but is this something you really need to pay attention to right now? Well, the short answer is: Yes.
The European Commission put forward its EU Data Protection Reform in January 2012 to make Europe fit for the digital age and to close the gaps that were identified in the Safe Harbor agreement - the agreement between the United States Department of Commerce and the European Union that regulated the way that U.S. companies could export and handle the personal data of European citizens.
In recent years, more than 90% of Europeans reported they wanted the same data protection rights across the European Union – regardless of where their data is processed.
The next step? Reform to the EU's existing General Data Protection Regulation (GDPR), which will take effect May 2018, effectively replacing the EU's Data Protection Directive 95/46/EC and clearly designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region, and really across the globe, approach data privacy.
The General Data Protection Regulation (GDPR) marks the most important change in data privacy regulation in 20 years, targeting the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repeals Directive 95/46/EC. Key points to keep in mind according to the EU Data Protection Reform include the following.
- The principles of data protection should apply to any information concerning an identified or identifiable natural person.
- To determine whether a natural person is identifiable, an account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.
- To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.
PII Gathering Outside the EU
Under EU law, Personally Identifiable Information (PII) can only be gathered legally under strict conditions, for a legitimate purpose.
Organizations that collect and manage personal information must protect it from misuse and must respect certain rights of the data owners that are guaranteed by EU law.
The EU's Data Protection Directive also foresees specific rules for the transfer of personal data outside the EU to ensure the best possible protection of data when it is exported abroad.
Arguably the biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of data subjects residing in the EU, regardless of the data processing company’s location. Previously, territorial applicability of the directive was ambiguous and referred to data process in context of an establishment.
GPDR makes its scope and applicability very clear - it will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU ... or outside of the EU.
The reformed GDPR will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to offering goods or services to EU citizens and the monitoring of behavior that takes place within the EU. Non-EU businesses processing the data of EU citizens will have to appoint a representative in the EU.
Under GDPR, organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This sanction is the maximum fine that can be imposed for the most serious infringements, which include not having sufficient customer consent to process data. It is for this reason that organizations that collect and process this type of data are being ‘challenged’ to assure that they not only need and have the permissions to collect, process and manage this information, but that they also have a need to retain this information.
Keep in mind, 'The Cloud' will not be exempt from GDPR enforcement.
PII consists of key information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records and more, including, but not limited to, an individual's photographic image, fingerprints, handwriting, retina scans, voice signature, facial geometry, taxpayer identification number, passport information and credit card numbers.
Protecting PII is a challenge for individuals and enterprises alike.
Every business is built on people and processes - clients, customers, partner, vendors, employers. As such, every business is responsible for the actions of its staff and the effectiveness of its processes and best practices when it comes to protecting PII.
Trending: 4 Stages to a GDPR Readiness Assessment
While the new regulation does not seem complex on the surface, many organizations collect and process customer data with data about their online behavior and this data is stored in large warehouses. The challenge is being able to redact, anonymize and delete the data based on request as well as their internal records retention requirements.
Do you have questions or concerns about getting prepared for the GDPR? If you manage Personally Identifiable Information, GDPR readiness may be your prime directive at this time. Download our eBook today to learn more!