GDPR: Are you ready?

TLDR Version:

  • GDPR Stands for General Data Protection Regulation
  • It will become enforceable 2018.05.25
  • The law applies to all citizens in the European Union
  • The law aims to protect the personal data of EU citizens
  • The law regulates companies based in the EU
  • The law ALSO regulates companies not based in the EU, but transfer data in and out of the EU
  • Highlights include rules on: how data is accessed by individuals and providers and what it can be used for

Longer Version:

GDPR was put into place on 2016.04.27. As the enforceability date of 2018.05.25 approaches, IT departments, business owners, and individuals should know where they are on this monumental digital protection legislation. Are you ready?

Disclaimer: I’m not a legal expert. I am an IT person with a blog. You may consider the statements here as purely fiction / opinion. However, I will link you to the official European Commission website so you can read everything decide for yourself.

What’s it got to do with me? The arguably the most controversial part of the GDPR states (to paraphrase), that the regulation applies to any company based in the EU or any company not based in the EU but collects data from individuals in the EU. The practical example of this: if Microsoft, Google, or any company under 250 people want to market and sell products that include any personally identifiable information, in the EU, they must adhere to this regulation (there’s a number of different rules for smaller companies). Some technology and legal experts suggest that there might be a ripple effect through out the world because who want’s to do business with a company that is not complying with the GDPR. Take the UK for example. Because of Brexit they are not bound by the GDPR, but because the UK economy is so intertwined with the EU, companies in the UK who do business with in the EU will likely have to conform anyways. Extend that premise to any other company that does business in the EU or with UK companies, FaceBook, or Google and the dots are easy. When you think about it there aren’t that many degrees between you and the EU.

There may also be a number of cost benefit motivators that will drive companies to adopt the change. The first calculation is that there will be a development cost for producing two different classes of offerings (one compliant and one non-compliant). This proposition seems prohibitive if you’re not one of the larger companies. And even if you were a larger company would it be worth it?

OK. So what do I have to do? Well, as usual, it depends. If you’re an individual your best bet is to actually read the pages of the regulation for yourself. Ask a legal expert what this might mean for you (and what it means to them). Then ask another. Then another. Then talk to several IT professionals and ask what they think. Chances are they will each have a perspective and it’s possible that they may not interpret the regulations in the same way.

But. Here are some things that are clearly stated directly from the regulation:

  • The protections do not extend to criminal activities (Sec 19)
  • Protections apply to any EU individual’s data, even if the processing does not occur in the EU (22)
  • A persons agreement should be stated so it is a “clear affirmative act establishing a freely given, specific, informed and unambiguous indication”. (32)
  • A company processing personal data has 72 hours to contact a person if their data is breached. If the company can’t make it in 72 hours they have to still notify the person and also tell them why they were unable to contact them in time. (85)
  • Fines can be 10 000 000 Euro or 2% of worldwide turnover (whichever is Higher)(Art. 83, ss 4 and 5)

If you are an IT professional your best bet is get with a Legal Professional who is familiar with technology law. Reading through the legalese won’t necessarily translate to obvious technological answers. The gist of the regulation, in the context of practical steps for IT professionals: ask yourself if you’ve done enough to secure personally identifiable data, if users have clear opt-in and opt-out options, and do you have a process in place in the event that systems that hold user data are compromised. There are also some sections about anonymizing data and establishing a purpose built role in your company to manage compliance. Again. Seek professional legal help!