General Data Protection Regulation
Effective May 25, 2018
The European Union (EU) adopted the GDPR with the purpose to regulate organization’s management of data with a primary focus on protections of personal information stored and processed by businesses. This outline provides the highlights of the regulation.
1. GDPR is adopted by the European Economic Area (EEA) which includes the EU* plus Iceland, Liechtenstein, Norway and Switzerland.
2. It covers any company doing business in the EEA (or has employees therein). The liability for failure to follow the regulations is massive fines of up to 4% of global revenue or 20 million Euros, whichever is larger. In May 2017 Facebook was fined $122 million under the GDPR’s predecessor. Potential liability could be in range of $1.6 billion.
3. Persons must be provided the option of Opt In or Opt Out – the choice can be withdrawn at any time.
4. Persons are granted the right to access their data, and obtain a copy of their data, in an interchangeable format. (Formatting is underdevelopment by Microsoft, Facebook, Google and Twitter)
5. Persons have the right to “be forgotten” – this applies to third parties who may also have access to the data.
6. All data processes going forward must be designed with the concept of “Privacy by Design”. This is a new approach to system design requiring businesses to adopt specific design processes that check-point and document the privacy protections at each step.
7. Data breaches must be reported to EEA authorities within 72 hours of the suspected breach.
8. Personal data includes:
a. Personally Identifiable Information (PII - similar to the US privacy regulations) – Name, birthdate, drivers license, passport, address, social security number. New is a person’s IP address(es)
b. Sensitive personal data, including:
i. Racial or ethnic origin
ii. Political opinions
iii. Religious or philosophical beliefs
iv. Trade union membership
v. Genetic or biometric data
vii. Sex life or sexual orientation
viii. Criminal offenses/convictions