The General Data Protection Regulation (GDPR) will go into effect this Friday, May 25, 2018. After years of deliberation and anticipation, the European Union’s foremost privacy protections will finally take hold and apply to all entities that handle the sensitive information of European Union (EU) data subjects.
As evidenced by the deluge of news articles headlining the GDPR’s debut, businesses around the globe are making their final preparations to comply with the EU’s new privacy regulation reality. We encourage you to read our interactive GDPR Guide to better understand and comply with this massive shift in privacy regulation. Because when the day breaks in the EU on Friday, the GDPR will have an impact on every small business, corporation, or individual that handles the information of an EU data subject. And that means this regulation may impact you.
Here are some fast facts and key boxes to check before the GDPR goes into effect.
First off – why are we doing this?
The GDPR was developed to protect the privacy of EU data subjects, and it outlines strict requirements for the businesses and entities that gather, store, or distribute an EU data subject’s personally identifiable information (PII) – regardless of where the entity or company is located.
Does the GDPR even apply to me?
If you handle the personally identifiable information of an EU data subject, the GDPR applies to you. In our internet-enabled world, individuals share a plethora of personal data to access and benefit from the innovations that improve our lives. Today’s app innovations can monitor users’ health, manage their finances, or connect individuals through a variety of social networks. Each of these interactions has the potential to connect to a person’s PII, which includes information like a person’s name, ID number, location, or other factors that point to a person’s physical or physiological identity. If you collect or handle this type of information from an EU data subject, the GDPR applies to you.
Wait, what is an “EU data subject” anyway?
According to Article 3(2) of the GDPR, the regulation applies not only to the processing of the personal data of data subjects who are in the European Union, which means that the GDPR applies to people – both citizens or residents – who are physically within the European Union, but also the data subjects whose data is handled by a data controller or processor established—not necessarily located—in the European Union. Thus, the GDPR could apply to a data controller or processor without that company or organization physically being in any EU member state. This is because the touchstone for the GDPR is whether that controller or processor uses EU data subjects’ personal information, but not necessarily where the company is physically located. Though internet-enabled data flows allow data to be accessed, controlled, and processed in all parts of the globe, the GDPR seeks to protect the personal information of data subjects located within the borders of the EU at the time their data is processed or whose data is handled by entities located either in the EU or outside of it.
Ok… so how do I prepare?
Determine whether you are a data controller or a processor. This vital distinction will determine your responsibilities under the GDPR. A data controller is the entity that determines the purpose for processing an EU data subject’s personal data. In contrast, a processor processes, moves, or stores the data on behalf of the controller but does not decide how the data is used. to uphold the integrity of an EU data subject’s personal information, they have different requirements when it comes to breach notification, consent requirements, or data deletion. You can learn more here.
Designate an EU representative. If you consistently hold or process data on an EU data subject, the GDPR requires your company to have a physical presence or representative in the EU. Many businesses have already hired local data protection officers (DPOs) who have EU privacy expertise, understand the nuances of the GDPR’s regulations, and can implement privacy protocols in the event of a data breach.
Update your consent mechanisms. The GDPR has strict rules regarding consent and requires that all data processors or controllers provide an intelligible and easily accessible form to ensure that a data subject gave the requisite consent to access the data. The purpose for using the personal data must also be attached to the consent. In addition, entities that control or process personal data must provide an easy mechanism for data subjects to withdraw their consent.
Know your plan in the event of a data breach. The GDPR outlines rules and consequences if an EU data subject’s personal information is jeopardized. If your business experiences a data breach that results in the accidental or unlawful destruction, loss, alteration, or disclosure of personal data, there are specific protocols to follow based on your classification as a controller or a processor. If a data controller experiences a breach, they must notify their supervisory authority no later than 72 hours after becoming aware of the breach. Processors, on the other hand, do not have the 72-hour lead time, and they must inform the controller as soon as it becomes aware of the breach.
Know how the GDPR compares, and how it doesn’t. The GDPR diverges from existing privacy regulations in many, and significant, ways. Because you comply with U.S. privacy laws, U.S. data breach laws, Children’s Online Privacy Protection Act (COPPA), and the Health Insurance Portability and Accountability Act (HIPAA), does not mean you are in compliance with the GDPR. Our Guide outlines just how the GDPR shapes up to other privacy regulations, here.
You can read our full GDPR preparation checklist within the GDPR Guide here.
Businesses around the world wait with bated breath for the implementation of the GDPR, but only time will tell the full extent of its reach, the nuance of its application across EU member states, and the enforcement against its infractions. The team at ACT | The App Association is dedicated to helping our members address challenging and unsolved questions of the regulation, offer updates and insights to its application, and do all we can to help our members comply.
May 25th is just a few days away. Be sure to read through our trusty GDPR Guide for final preparations and stay tuned for new updates and information to come.