In my last post, I listed two of the six ways the European Union’s General Data Protection Regulation (GDPR) can affect even non-EU enterprises—by …
- Reaching beyond the EU; and
- Redefining personal and sensitive data.Here are four more reasons you can’t afford to ignore GDPR:
- The new nature of consent
Under GDPR, consent language must be simple, clear, and easy to understand. Consent for using personal data must be “freely given, specific, informed, and unambiguous” as well as reversible.Data subjects have the right to access data stored about them, correct inaccurate information, and limit data use in decisions made with algorithms and profiling.For consent to be adequately informed, the data subject must know about:
- The identity of the data controller;
- What personal data will be collected;
- The purpose of each data processing operation — so consent must be explicitly granted for each specific purpose and the type of processing used to achieve it;
- How that personal data will be used in decisions based solely on automated processing (including profiling);
- Possible risks from personal data transfers to third-party countries; and The right to withdraw consent.
If consent is conditioned to a contract’s performance or where there’s a power imbalance, it’s not valid. Nor may a data subject suffer any detriment upon electing to withdraw consent.
- Breach notification rules toughen
“Accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed” requires that EU regulators be notified within 72 hours.Any “high risk” to fundamental property and privacy rights — such as exposure of credit card numbers or account passwords — requires you to notify the data subjects, too.
- Data sharing
GDPR will probably make both data breaches and data sharing more expensive, since GDPR demands greater transparency about second-hand data. This is compelling a rethink about approaches to logins, analytics, and, of course, targeted advertising. It’s also forcing data partnerships to rewrite contracts so they’re GDPR-compliant.Still, some compliance questions — such as, who’s liable if personal data was breached from a sharing partner? — remain unanswered.
- Oh, those penalties …
GDPR fines range up to 4% of annual global revenue or €20 million, whichever is higher.
GDPR-style rules are being mulled in Japan, Singapore, and Australia. Plus at least three US states — California, New York, and Massachusetts — are pondering stronger data protection laws.
But many GDPR requirements remain unspecified, permitting a range of implementations and a chance to shape new ways to protect personal and sensitive data that work for everyone.
Indeed, the need to respond to GDPR presents a unique opportunity to work with your trusted technology advisor in analyzing current security policies , software , services , and employee attitudes — and then adapting these to a world in which all your systems have data protection designed right into them .