The EU General Data Protection Regulation, passed in 2017, is set to go into full effect on May 25th, 2018. Among other considerations, the GDPR grants the right to be “forgotten” on the Internet. It goes much farther than that, however, in efforts to protect personal privacy and sensitive identifying information. The GDPR replaces the Data Protection Directive which has been in place since 1995.
Companies that are Directive Compliant Should Transition Easily
Companies that are already in compliance with the DPD will have little difficulty making the leap to GDPR, since GDPR is built on regulations already in place. However, the new ruling will be more stringent in response to instances of personal data theft and the prevalence of data mining. It will narrow the use of personally identifying data, such as personal names, official numbers (such as social security numbers or driver’s license numbers), address, medical information, and even employment in some circumstances. There’s some question as to whether telephone numbers and addresses associated with business activity will fall under this heading. Some things remain to be worked out.
An Important Difference between GDPR and DPD
One important difference between the GDPR and the older DPD, is that the GDPR is a regulation, not a directive. A directive is a guideline that works with regulations in several countries across borders. A regulation is a law that’s in effect across political lines. The GDPR has been accepted by 28 countries. Because it is a law, not a suggestion for appropriate behavior, enforcement is likely to be much stricter.
Who Will Be Affected
Companies that make a practice of collecting statistical data (including personal information) and companies that store data for others, such as Folderit, are likely to be affected. Even if your company is not inside the EU and doesn’t normally have business dealings with EU citizens, it is a good idea to maintain compliance because the broad accessibility of the Internet makes it possible that someone from the EU might buy an item or service from your online business. Transmission of personal data from EU citizens will be highly controlled, especially outside the EU. Transactions as simple as selling a pair of socks or writing a celebratory poem and receiving pay from an EU citizen can generate information that’s considered privileged.
Help! I’ve Been Hacked!
The GDPR also covers security breaches. If you’ve ever had to call your bank or other financial institution and let them know that your information has been hacked, you know exactly how irritating and inconvenient this can be – even if nothing of consequence has been taken. If you are a company that handles other people’s information, your difficulty is multiplied by your service roster plus their potential contacts. In addition, the GDPR has a reimbursement responsibility clause that will make providers potentially liable for losses resulting from inappropriately shared personal data.
The Right to be Forgotten
The right of erasure, which is provided by GDPR, is another concern. If an individual is named in several documents, how will you go about removing references to them? What will happen to pertinent data that’s included in that document? Will you be forced to remove that information along with references to the individual, or will you be able to preserve transaction histories separately from information about the person being “erased”? You might need to take steps to separate company data from personal data, creating a way to preserve valid records even if an individual asks that their information be removed.
An “Out” for Companies
Companies do have an out, which is the phrase “reasonable steps to preserve privacy.” Encryption is one way that you can protect individual privacy as well as company information. Up-to-date, state-of-the-art antivirus and malware protection is another. This year’s Internet business could be described as living in interesting times or, to quote Charles Dickens, it could be “the best of times and the worst of times.” We shall soon see how the application of this new regulation will play out. An old Ozarkian aphorism runs, “Plan for the worst, and hope for the best.” It is a good rule for any business situation, and perhaps this one in particular.