What EU Data Protection Laws Will Your Company Need to Follow?

By November 21, 2017Business
flags of the world against a blue sky

You’ve got only a few months to make sure you follow the EU’s General Data Protection Regulation (GDPR). Yes, that’s right. Even if your company doesn’t have any offices in Europe, you’ll have to meet its requirements by May 25, 2018.

Do you sell goods or services to anyone residing in the EU? Do you track the behavior of any EU resident? Then you’ll have to follow the GDPR’s provisions or face a hefty fine. A resident doesn’t mean that person has to be an EU citizen, either.

Even if you don’t sell anything to EU subjects, chances are you have data or will have data about an EU resident. Maybe your company only processes that data. Your company falls under its provisions in either case.

What Data is Covered?

The EU adopted a much wider view of what makes up personal data. It covers any information related to a “data subject” you can use to directly or indirectly identify the person. They listed some examples, including:

  • a name,
  • a photo,
  • an email address,
  • bank details,
  • posts on social networking websites,
  • medical information, or
  • a computer IP address

By comparison, let’s look at what the state of Georgia, home to Izenda’s offices, labels as personal data. (Check out your state’s data breach laws in Foley’s State Data Breach Notification Laws Chart.)

An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:

  • social security number;
  • driver’s license number or state identification card number;
  • account number, credit card number, or debit card number, if circumstances exist where you could use the number without more identifying information, access codes, or passwords;
  • account passwords or personal identification numbers or other access codes
  • or any of these not connected to the individual’s name you could use to attempt identity theft

You can see the EU uses a much wider definition of what’s personal data covered by its laws and regulations. So you can’t rely on adherence to your local laws if you control or process EU residents’ data.

And don’t think because your company meets HIPAA or the expanded HITECH Act requirements that you don’t have work to do. Debra Diener, an attorney and Certified Information Privacy Professional, worries that companies are thinking too locally.

“A company sitting in the United States that handles health data—a health company, a clinical trial group, a hospital, a doctor’s office—they could feel very good that they actually are doing everything that they have to do under HIPAA and HITECH,” Dernier said in this article on Bio-IT World. “But if that organization could be considered to be within, or covered by, the parameters of this EU regulation, then just doing what they’ve been doing for HIPAA might not be compliant with what is required under the GDPR.”

What are the Penalties?

If you don’t get sufficient customer consent to process data, or violate the core of privacy by design concepts, the fine can reach up to 4% of annual global turnover or €20 Million. If your records aren’t in order or you don’t notify the proper authority and data subjects about a data breach you could face a 2% fine.

If your organization processes the personal data on behalf of another company you’re still subject to those fines.

What Can I Do About It?

The best way to think about the GDPR is that it’s not your data. You are borrowing it from the data subjects, and they can take away their permission to use it and make you give it back at any time. They can even share it with your competitors!

Policies and Procedures: Your company should have data privacy rules and systems already in place. GDPR means it’s time to update them to these more stringent requirements. And now you’ll need to add policies and procedures so you are ready for a data breach and when someone: 1) asks to see their data, or 2) asks to be “forgotten” from your databases. Do an inventory of your data. Determine the purpose for collection of each data set, and restrict its use to those purposes. Use this handy guide and follow the list of actions you may need to take.

Active Consent Required: You need active consent to use data. And you must clearly define how you plan to use it. Change your website landing pages and forms to require active consent to collect data. Make the online visitor check the box and clearly explain the purpose for processing that data. The EU won’t accept legalese. You can still have that privacy document with its legalese designed to meet your company’s legal requirements. Put the link to it on the plain language now required by GDPR. But you don’t need consent to do fraud detection.

Data Protection Officers: You might have heard about data protection officers. You only need to appoint one if your organization is a public authority, engages in large scale systematic monitoring or in large scale processing of sensitive personal data. Someone on your staff may already have this responsibility. Make sure they understand local and GDPR data privacy requirements.

Data Breach: GDPR requires any organization in a member state to disclose a data breach within 72 hours of learning about it. And data processors have to notify their customers, the controllers, “without undue delay” after first learning of a data breach. Look at all the trouble companies are facing after waiting months to notify consumers about data breaches. Meeting this deadline makes sense even if you don’t have an office in a member state.

Right to Access: Data subjects have the right to get confirmation if personal data about them is being processed, where and for what purpose. You must provide a copy of that personal data in electronic format, free of charge, within 30 days.

Right to be Forgotten: Also called Data Erasure, a data subject has the right to have the data controller erase personal data, stop further sharing of the data, and potentially have third parties halt processing of the data.

Data Portability: Not only can a data subject demand his personal data, that person can share it with other organizations despite the fact that you collected it.

Privacy by Design: Don’t wait to add data protection. Design your systems to include it from the start. The design should hold and process only the data necessary (data minimization) while limiting access to personal data to those doing the processing.

How Izenda Helps You Maintain Data Privacy

Izenda’s analytics platform restricts user access to data limited to their role. Our integrated deployment inherits your application’s existing security models to sit behind your application’s authentication process. You can push tenant, role, and user associations through our API. From there you define data, feature, and report permissions. You can lock down data access to the row and cell level through hidden filters to ensure compliance with personally identifiable information access regulations.

free ebook offer for the Product Manger's Guide to Embedded BI

Leave a Reply