Data privacy and protection are critical parts of any compliance framework, and few regulatory bodies take that fact more seriously than the General Data Protection Regulation, or GDPR. A law passed in the European Union in 2018, GDPR attempts to address core issues of how businesses can gather, use and manage customer data as part of their business operations without violating the rights of those customers.
While some businesses in the U.S. may not see much value in understanding GDPR, those serving EU customers are wise to better grasp the intricacies of the law and how it will impact their work in Europe.
What is GDPR?
GDPR, conceived of in 2012, is the attempt made for participating countries to enter the digital age with a clear vision of how to regulate data as used in typical commerce. Understanding that customer data will drive most, if not all, businesses in nearly any industry, the EU is determined to implement sweeping, comprehensive and rigorous laws to meet that challenge.
Most importantly, any organization doing business in the EU must understand the goals of GDPR, which are:
- To ensure the protection of the fundamental privacy of “Data Subjects” (i.e., customers and clients),
- Update privacy laws to meet modern technology, and
- Unify 28 different EU privacy laws based on member state legislation.
The focal point of GDPR is the Data Subject, or the entity from which the data comes from, and the sanctity of their data. The business (specifically your business), called the Controller, must work to protect that data.
That means that within GDPR, there are some incredibly broad conditions that inform specific regulations and dictate how businesses use data.
Some of the most important conditions are:
- Gaining Consent: Unlike the “opt-out” model of data gathering in the United States, GDPR presupposes an “opt-in” framework. Any business collecting user information must acquire consent to do so. This includes anything, from using buying behavior, gathering payment data or sending marketing materials via email.
- Proof of Consent: It’s not enough to gain consent, but you must also prove it through some mechanism (documentation, immutable audit logs, etc.).
- Right to Request Access: The Data Subject, at any time, can request information about the data that you’ve collected from them. This includes how that information is held and processed, who is accessing it and for what purposes that information is being used.
- Right to Erasure: The Data Subject can request the Controller delete their data at any time without exception. The Controller is required to delete that data per the user request “without delay”.
- Right of Rectification: The Data Subject can request changes be made to inaccurate data, and may object to any way in which their data is used to politically, racially or culturally profile the theme for discrimination.
- The Right to Stop: The Data Subject can request that the Controller stop processing all data. The Controller must comply immediately, with no exception.
- Right to Restrict Processing: The Data Subject can request that the Controller stop certain processing of data without removing the data from their system.
These items are incredibly unique, and rarely found outside of the EU (the closest antecedent in the U.S. is California Consumer Privacy Act, or CCPA).
The GDPR outlines how Controllers must protect user data through encryption, proper security, risk management and so on. However, it’s just as important for Controllers to maintain the privacy of that data and to respect the agency of the Data Subject. More importantly, GDPR concretely defines personal data as:
- Any basic identity information like a name, address or phone number
- IP address
- Health data (PHI)
- Cultural or Personal Representation (Race, Political Affiliation, Secual Orientation, etc.)
GDPR and Consent
Consent is one of the pillars of GDPR because it centralizes control of data with the user.
Consider this scenario: in the United States, you can automatically be enrolled in any new email marketing campaign. Law states that they must give you the option to opt out of further emails, usually through a link in all communications. GDPR, on the other hand, requires you to get consent to send those emails in the first place.
Furthermore, there is no rhetorical sleight-of-hand that you can play as a business to circumvent disclosing the exact nature of your business. Any and all requests for consent must be clear and concise and disclose much of what you are going to do with that information.
Every request for data must include the following pieces of information, including:
- What data the company wants,
- How the company will use that data,
- How the company will store and access that data,
- Clear business reasons for the collection and use of the data,
- Describe to the Data Subject the reasons you need the information, that they can change their mind if they want.
Complying with GDPR
If you want to do business in the EU, you’re going to be compliant across internal systems and marketing materials. Some of the steps you can take to earn or remain compliance include:
- Implement proper encryption standards. AES-256 or higher plus TLS 1.1 or higher for data in transit.
- Acquire a representative in the EU if you are not physically located there. Businesses shelving services and products online in the EU must have a representative to help them manage compliance.
- Ensure that marketing materials, emails, etc. provide a way for potential customers to understand why you are collecting that data, for what purposes and through what means.
- Providing details on how to contact your organization and request deletion of collected data on all marketing materials and consent forms.
- Utilizing forms and features to collect and store consent through unbroken audit logs.
- Prepare notification in case of breach. Like HIPAA, GDPR requires companies to notify officials and affected customers of a breach within 72 hours.
Compliance is non-negotiable, and carries steep penalties. These include:
- Less serious threats where steps are attempted to remediate problems, including violations of data protection or certification laws, can result in a fine of up to €10 million or 2% of all annual worldwide revenue, whichever is greater.
- For violations of consent laws, privacy rights laws, or fair processing laws the penalties can go up to €20 million or 4% of all annual worldwide revenue, whichever is greater.
GDPR Compliance with Lazarus Alliance
If you are doing business in Europe, you are undoubtedly seeking GDPR assessment and accreditation services. You may have already guessed that between the preparation costs to get ready for a GDPR audit as well as a third party assessor to audit and certify your company, the expenses exponentially begin piling up.
<h2>Want to learn more?</h2>