Have your clients been asking about GDPR ? Due to take effect on May 25, the European Union’s General Data Protection Regulation may impact a portion of your clients, not least due to the intensifying focus on the use of personally identifiable information. Although GDPR applies only to EU citizens, it’s influencing even US companies to alter their terms of service, rewrite contracts, and provide new tools to handle “personal data.” I offer six reasons why some of your clients may find it less risky to assume GDPR does affect their business than to assume it does not. This is especially true if their enterprise handles personal data :
- GDPR’s reach GDPR protects EU individuals’ data wherever it may be generated or processed, even if no financial transaction occurs, even if the EU individual didn’t provide the data. How much this concerns your clients can depend on the people their marketing targets. If, say, their English-language webpage is written for US customers, GDPR won’t apply. But if they target EU data subjects — for instance, a webpage that references EU customers and accepts Euro currency — then GDPR applies.
- Personal and sensitive data must be treated right GDPR defines “personally identifiable information” to include any data that can be used on its own or in conjunction with other data to identify someone.GDPR distinguishes between “personal data” that’s private (e.g., IP address, street address, name) and “ sensitive data ” (e.g., sex, religion, level of education, union membership) that must be stored differently and cannot be used in making business decisions like granting a mortgage.Any data your clients use that’s covered by GDPR must be protected according to GDPR rules. If your clients already adhere to the likes of PCI DSS, ISO 27001, or NIST data security standards, they’re less likely to feel the burden .
- The new nature of consent Under GDPR, consent language must be simple, clear, and easy to understand. Consent for using personal data must be “freely given, specific, informed, and unambiguous” as well as reversible.Data subjects must understand what personal data will be collected, and must consent to each processing operation performed on the data. If consent is conditioned to contract performance or occurs where there’s a power imbalance, it’s not valid. Nor may a data subject suffer any detriment upon electing to withdraw consent.Data subjects have the right to access data stored about them, correct inaccurate information, and limit data use in decisions made with algorithms and profiling.
- Breach notification rules toughen “Accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed” requires that EU regulators be notified within 72 hours.Any “high risk” to fundamental property and privacy rights — such as exposure of credit card numbers or account passwords — requires that data subjects be notified, too.
- Data sharing GDPR’s transparency requirements about second-hand data likely mean that both data breaches and data sharing will become more expensive.Although some GDPR compliance questions — e.g., who’s liable if personal data was breached from a data sharing partner? — remain unanswered, affected clients should anticipate developing new approaches to logins, analytics, targeted advertising, and data partnerships to make these GDPR-compliant.
- The penalties … GDPR fines range up to 4% of annual global revenue or €20 million, whichever is higher. Ouch.
GDPR presents a unique opportunity to work with your trusted technology advisor in analyzing your clients’ current security policies , software , services , and employee attitudes — and then adapting these to a world in which your clients’ systems have data protection designed right into them .