What is GDPR?

The GDPR is the “General Data Processing Regulation”, legislation by the European Union that from May, 25th 2018, does two primary things:

  1. Establishes personal data rights for individuals in the EU
  2. Sets principles for how businesses should store and process this personal data

Does GDPR affect your US business?

If you store or handle (processes) any information of EU citizens or individuals in the EU, then the GDPR applies to you. There is no size limit on GDPR, so it applies to businesses and organizations of all sizes (even freelancers, non-profits, and clubs).

This technically means that GDPR even applies to a small association that happens to have a member who is an EU citizen residing in the US. What will be interesting to see is what will actually happen to smaller companies and organizations who reside solely in the US.

What is the penalty for breaking GDPR?

Here’s where you want to pay attention. GDPR specifies a penalty of 4% of annual global turnover or €20m (whichever is the greater).

What does this mean for US businesses? We’ll have to wait and see. Either way start making changes now. It’s good for you, good for your customers, good for your team.

How does you US business comply with GDPR and do you need to become “GDPR Certified”?

There is no GDPR certification and a lot of the legislation is quite ambiguous. What you do need to be serious about is knowing what information you have, why you have it, and how long you are retaining it for. And then make that information available in your privacy policies. Below are a few pointers to get compliant with GDPR. By no means is this an exhaustive list, nor should you take this as legal advice, but it is a lot of really good information compacted into a few simple steps.

Simple GDPR Checklist

  1. Identify and document what personal data your business is storing, collecting, or processing.
    What types of personal data (name, address, email, etc.) and sensitive data (health information, religious/political views, etc.) do you have? Where is it coming from, how is it being used/stored, where is it going?
  2. Review your security and security policies to make them GDPR-compliant.
    While there are no exact guidelines on what security measures you need to have in place there are a few things you need to know.

    • Encrypt as much as possible. GDPR recommends separating and encrypting personal data from the personal identifier (name or even email address).
    • Report security breaches within 72 hours
  3. Update your privacy policies.
    You’ll need to include what data you are storing, why you are storing it, who you send data to, and how long you’ll store the data for. Keep things simple, in plain English and as short as possible. The irony is that the GDPR legislation telling you to keep it concise is an 88 page document!

What else do you need to think about?

  • Prepare to give EU citizens access to their data:
    Under the GDPR EU citizens have the right to access, update, and remove their personal data.
  • Make sure your service providers are GDPR-compliant:
    If personal data is being stored or processed by any other service providers, organizations, or contractors, you’ll need to make sure that they also are GDPR-compliant.
  • Do you need a Data Protection Officer (DPO)?
    Unless you are a large business, or are processing large amounts of personal data, or sensitive data, your probably won’t need a DPO. As with all information here, you should check with your lawyer.

Digging Deeper: A Few Key Points and Definitions

Key points for how personal data should be processed:

With Lawfulness, Fairness and Transparency – Personal Data is stored and used in a lawful, fair and transparent manner.
With Purpose Limitation – Personal data should only be collected for specific, legitimate purposes and then should only be used for those purposes.
Data Minimisation – Collect the personal data that is needed and no more.
Accuracy – Keep personal data up to date.
Storage Limitation – Keep personal data for the amount of time it is needed, then get rid of it.
Integrity & Confidentiality – Keep personal data secure by using the latest and best security standards you can.

EU rights under GDPR:

Right to be Informed – give simple clear privacy notices.
Right of Access – give access to their personal data.
Right to Rectification – can update personal data if it is inaccurate.
Right of Erasure – is “the right to be forgotten”, but only if there is legitimate reason to do so.
Right to Restrict Processing – can block processing of personal data.
Right to Data Portablity – can obtain and transfer their personal data.
Right to Object – can block different forms of data processing.
Right to block automated decision-making or profiling using personal data.

Definitions:

Personal Data – is really anything that can be used to identify an individual directly or indirectly.

Sensitive Data – is personal data that is requires higher security measures and needs to be treated with more consent and sensitivity. Sensitive Data is:

  • racial or ethnic information
  • political information
  • religious or philosophical beliefs
  • trade union memberships
  • genetic data
  • bio-metric data
  • sex life or sexual orientation
  • health data

Processing
Anything that is done to or with personal data (automated or manually). Processing means is a broad definition that tries to cover everything including – storing, collecting, recording, organizing, structuring, analyzing, etc.

Subject Access Request (SAR)
An individual exercising their right to obtain a copy of their personal data, within one month of the initial request.