Key aspects of Europe’s General Data Protection Regulation

The General Data Protection Regulation, or GDPR, is a new set of rules intended to protect the online data of European citizens. It is the largest overhaul of data protection regulations since the EU’s 1995 Data Protection Directive and brings about a strict and complex set of requirements along with fierce penalties. GDPR becomes enforceable 25 May 2018.

Penalties

Failure to comply with GDPR can carry a fine of up to €20 million or 4% of a company’s annual, global turnover, whichever is greater.

Subject data requests

Companies dealing with European customers must be able to provide those consumers with reports detailing the personally identifiable data that they hold, how they use that data, and under what permissions.

Security breach notifications

Companies will be forced to notify authorities and affected individuals of high-risk security breaches within 72 hours of the event.

Data officers

Some companies, including those that do large-scale monitoring of individuals and those that handle personal data related to criminal convictions and offences, will be required to hire or appoint a data protection officer.

Providing access to data

As part of GDPR, companies must be able to provide Europeans with a copy of their personally identifiable data and under some circumstances delete it at their behest. Here is how companies can do that:

Take an inventory of your data

Companies must take note of all the data they hold, where it sits, what rights they have to use or transfer that data, for what purposes, and for how long.

Categorise and assess the sensitivity of the data

Companies don’t have to provide subjects with low-risk data, meaning information that likely cannot identify a user, such as their food preferences. They will, however, have to provide subjects with high-risk data, which is data that can directly or indirectly identify a user, such as their name or address.

Put in mechanisms to fulfil data subject requests

Companies must set up ways for individuals to make these data requests. Additionally, they must set up systems to fulfil these requests.

Fulfil requests

Companies must complete these requests within one month.

Using personally identifiable data

Companies use data to run analytics and develop algorithms that can give them an edge over competitors. Under GDPR, using data like that won’t be so easy. That’s because the new European regulation makes it more difficult for companies to rely on consent to use personally identifiable data from consumers in any way. Here are two common options:

Renew consent from users

• Some companies are enlisting the help of consultants and marketers to run campaigns to help them achieve high rates of new consent.
• Companies must explicitly explain what they intend to use the data for and get consent for those specific cases.

Pseudonymise personally identifiable data

• Some companies are turning to the help of vendors with software that scrambles the data in question, tightly shielding the identities of specific users with risk-managed, technical measures.
• By pseudonymising, companies can use the data they already have for analytical purposes without having to get explicit consent from users so long as they’re protecting users’ identities.

Sources: Anonos; Ebsta; European Union’s General Data Protection Regulation; Reuters Research.