The new GDPR is an evolution of the EU’s existing data rules, the Data Protection Directive (DPD). It address many of the shortcomings in the DPD: adding requirements for documenting IT procedures, performing risk assessments under certain conditions, notifying the consumer and authorities when there is a breach, as well as strengthening rules for data minimization.
It’s important to note that the EU GDPR covers personal data. It’s what we in the US would call personally identifiable information (PII). Think names, addresses, phone numbers, account numbers, and more recently email and IP addresses.
One way to describe the GDPR is that it simply legislates a lot of common sense data security ideas, especially from the Privacy by Design school of thought: minimize collection of personal data, delete personal data that’s no longer necessary, restrict access, and secure data through its entire lifecycle.
What are the new requirements?
- Privacy by Design – Privacy by Design (PbD) has always played a part in EU data regulations. By with the new law, its principles of minimizing data collection and retention and gaining consent from consumers when processing data are more explicitly formalized.
- Data Protection Impact Assessments (DPIA) – When certain data associated with subjects is to be processed, companies will have to first analyze the risks to their privacy. This is another new requirement in the regulation.
- Right to Erasure and To Be Forgotten – There’s been a long standing requirement in the DPD allowing consumers to request that their data be deleted. The GDPR extends this right to include data published on the web. This is the still controversial right to stay out of the public view and “be forgotten”.
- Extraterritoriality – The new principle of extraterritoriality in the GDPR says that even if a company doesn’t have a physical presence in the EU but collects data about EU data subjects — for example, through a web site—then all the requirements of GDPR are in effect. In other words, the new law will extend outside the EU. This will especially affect e-commerce companies and other cloud businesses.
- Breach notification – A new requirement not in the existing DPD is that companies will have to notify data authorities within 72 hours after a breach of personal data has been discovered. Data subjects will also have to notified but only if the data poses a “high risk to their rights and freedoms”.
- Fines – The GDPR has a tiered penalty structure that will take a large bite out of offender’s funds. More serious infringements can merit a fine of up to 4% of a company’s global revenue. This can include violations of basic principles related to data security — especially PbD principles. A lesser fine of up to 2% of global revenue — still enormous — can be issued if company records are not in order or a supervising authority and data subjects are not notified after a breach. This makes breach notification oversights a serious and expensive offense.
Overall, the message for companies that fall under the GDPR is that awareness of your data—where is sensitive data stored, who’s accessing it, and who should be accessing it—will now become even more critical.
Why GDPR is Important
At the center of GDPR is the protection of Personally Identifiable Information or “PII.” The definition for PII is information that can be used stand-alone or in concert with other information to identify a specific person. This includes obvious data like: name, address, and phone number, less obvious data like email address and IP address, and other data such as a credit card number, and unique identifiers that can be decoded back to the person.
How Will GDPR Affect You as an Individual
Even if you are not a citizen of the EU, GDPR will still affect you. Why? Because nearly every company you deal with, especially online, will have customers that live in the EU. It makes little sense for service provider or vendor, to create a separate set of rules for just EU citizens. In practice, protection of private information should be more accountable and transparent with GDPR.