The General Data Protection Regulation (GDPR) is the new European Union law that will be replacing the Data Protection Act 1998 in the UK on May 25th of 2018. The GDPR varies from prior regulations due to its expansion on individual client data protection. New conditions and requirements have been placed on data transfer across borders, as well as changes to the way businesses collect, safeguard, and share various types of data.
The new law is being put in place to increase data protection for citizens of the EU by placing heightened responsibility on businesses. The GDPR applies to any personal data that can be directly or indirectly used to identify someone.
The GDPR applies to any company collecting personal data from an EU citizen, who is present in the EU at the time of data collection. This extends beyond financial only transactions to cover any personally identifiable information. (PII)
Many US-based companies are already in compliance with various types of regulations from PCI-DSS, NIST, HIPAA, and others. This generally correlates to processes already being in place to aid in GDPR compliance without having to start from scratch. There are specific differences between US regulations and those of the GDPR which revolve around the specifications of data covered and the rights that the EU citizens have over their data. These should warrant further research to ensure a thorough understanding.
The GDPR brings with it large changes to the area of consent. If you are collecting “personal data” you must receive consent that equals a positive opt-in to the processing of their data. Sole traders and partners are an important distinction to understand in the new law. They are required to provide an opt-in before you can process their data as it is considered personal, rather than business information.
The GDPR defines personal data as anything that can be used to identify an individual person. Under the new legislation, it is the responsibility of the business to collect, store and use data appropriately and with good reason. The data collected must be part of a contract with the client, or they must have given their consent for any of their data to be processed.
• Only utilize data for lawful and authorized purposes
• Only retain as much information as is necessary for intended purposes
• Ensure the accuracy of all data
• Any personal data that is no longer required must be properly destroyed
• All personal data stored by your business must be protected
• Always comply with data security rights
• You must be prepared to prove compliance
• Each business must conduct a Data Protection Impact Assessment (DPIA)
• You may need to employ a data protection officer (DPO)
Three reasons the GDPR regulations are not to be taken lightly involve the serious consequences for failure to comply.
The risk to your reputation – The new law will require notification of a data breach to occur within 72 hours of discovery. A business is required to notify the authorities as well as any individual whose data has been impacted based upon the level of damage that they may incur. Any data breach comes with the risk of harm to market position as well as reputation.
Geographic Risk — Being outside the EU does not prevent you from complying with the new regulations.
Massive Fines — Failure to comply with the new regulations will lead to significant fines of up to 20 million EUR or 4 percent of the company’s global turnover, whichever is higher.
The GDPR will require all companies to implement infrastructure to collect, store and process data within the new guidelines, and continuously review and update their processes to ensure maximum data protection and compliance. For more information please visit: https://www.eugdpr.org/
As a leader in IT asset management and end-of-life electronics processing, ECS Refining provides a broad spectrum of solutions that enable OEMs, retailers, enterprises, and e-waste collectors to manage, disposition, and recover value from electronic devices while protecting sensitive data and mitigating downstream liability.