This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
Does your company do business internationally, and especially with customers within the European Union (EU)? If so, then you need to pay attention to what's happening in the areas of data privacy and data sovereignty. Big changes are underway and they could have an impact on how you manage customer information.
At the end of December, the European Commission (EC) approved the final version of the General Data Protection Regulation (GDPR). It's a massive overhaul of the EU's 1995 data protection rules (Directive 95/46/EC), which were quite out of date given the technology developments and globalization of the last two decades. The EC has been working on the GDPR since 2012 in order to strengthen online privacy rights and boost Europe's digital economy.
There are some terms in the GDPR that will have a significant impact on many businesses outside the EU. While the GDPR is a European regulation, the terms apply extraterritorially to any entity (called a data processor or a data controller) that offers goods or services to residents (called data subjects) of the EU.
Thankfully the regulation stipulates that having a commerce-oriented website that is accessible to EU residents does not constitute offering goods or services. A merchant must show intent to draw EU residents as customers; for example, by using a local language or payment denomination. However, there are many other ways that a business can get caught up in the regulations.
Here are a few of the more relevant aspects of the GDPR for commercial businesses:
- An individual must be informed in unambiguous terms that his information is going to be collected and/or processed, and for what specific purpose. If the information is going to be used for multiple purposes – say for marketing or data analytics purposes in addition to processing an order – the individual must be informed of each and every purpose. Consent cannot be implied and must be explicitly given. The request for consent must be clear and concise and cannot be presented in an unusual context.
- Data controllers are limited in the length of time in which they can keep an individual's data. The data must be erased or reviewed at the end of this time period.
- The identity of the data controller or processor must be transparent and clear. Individuals should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise his or her rights in relation to the processing.
- Data controllers must provide a means for data subjects to request access to their data, rectification, erasure and the right to withdraw consent for the data's use. Furthermore, data subjects should have the right to have their data erased and no longer processed by withdrawing their consent for processing.
- The data subject should be informed about the existence of profiling, and the consequences of such profiling.
- When a data controller (e.g., a business) uses a data processor (e.g., a cloud service provider) to process data on the controller's behalf, the processor must meet all the requirements of the Regulation for the security of processing. This includes implementing technical and organizational measures necessary to meet the requirements. The controller or processor should maintain records regarding all categories of processing activities under its responsibility.
- Data controllers are required to notify data subjects within 72 hours of a data breach involving data that is not encrypted.
- Any data that is transferred outside the EU for processing (such as putting data into a cloud application) is subject to all the regulations of the GDPR.
I could go on and on. These points just begin to touch on the specifications of how personal data can be handled under the new regulation. You can see, however, that the specifications can potentially have a big impact on how companies do business today.
The GDPR allows two years for businesses to assess the new regulations and to put the proper measures in place to assure compliance. The regulation allows for significant penalties for non-compliance, including administrative fines at up to 2% of annual worldwide sales or 1 million euros.
In the 2015 Ovum research report Data Privacy Laws: Cutting the Red Tape, two-thirds of the respondents say they expect the legislation to force changes in their European business strategy. Some companies might abandon the EU market altogether rather than spend the money and effort to comply with the new regulation. More than half the survey respondents expect that their companies will be assessed fines for violations of the law.
If you even think this regulation could have an impact on your business, there is no time to waste in assessing the situation and formulating your go-forward plans.