WHAT IS IT?
1995 and the Data Protection Directive (DPD), the EU adopted an ambitious set of data security and privacy rules. Within the Directive were requirements to obtain consumer opt-in, limit the amount of data that was collected, allow correction and erasure of personal data on request, and force organisations to erase data that was no longer relevant.
The EU was one of the first to take many privacy principles — more familiar to us today as Privacy by Design (PbD) — and turn them into real-world data security laws and policies. The EU’s DPD had an advanced definition of personally identifiable information, referred to as personal data, the data that is ultimately protected by the law. In the DPD, personal data could cover both standard identifiers (name, address, phone number) as well as Internet-era handles.
The new General Data Protection Regulation (GDPR), which will replace the DPD, was approved in April 2016. It will provide a uniform law across the EU and address many of the shortcomings in the DPD. Companies have up to two years to become compliant: the GDPR will go into effect in May 2018. This interim period is for companies to prepare for its arrival.
The GDPR will add requirements for documenting IT procedures, performing risk assessments under certain conditions, notifying consumer and authorities when there is a breach, as well as strengthening rules for data reduction. For companies that only collect data of EU citizens over the Internet without having a formal presence in a country, the GDPR’s concept of “extra-territoriality” will mean the GDPR will apply to them as well.
Finally, the GDPR will contain a significant financial sting for noncompliance: maximum fine €20,000,000.00 although some fines will be tiered with some violations set at 2% and more serious lapses at 4% of a company’s global revenue.
Ultimately, the message for companies that fall under the GDPR is that awareness of your data — where is sensitive data stored, who is accessing it, and who should be accessing it — will now become even more critical.