Everyone is talking about GDPR, what is it and whether it impacts US companies with operations in Europe. Europe’s General Data Protection Regulation (GDPR) seems like a complex revision of the EU’s twenty-year old data privacy regulations. The new GDPR guideline builds on this original set of fundamentals that remain largely unchanged. The new GDPR has been adapted to address privacy risks brought on by new technologies and to accommodate the increased data-privacy expectations of EU residents.
General Data Protection Regulation is the basic framework for protection of the personal information of European Union citizens. GDPR lays out detailed requirements governing the collection, use, sharing and protection of personal data.
This update is intended to help with the enforcement of these revised data protection requirements in Europe and will help answer the following:
- What is GDPR and who is affected?
- How it will affect your companies’ operations in the United States?
- What does the new regulation say about encryption, key management and access controls?
- What are the consequences for not being compliant with the new regulations?
General Data Protection Regulation is the 2018 reform of European data protection laws that are intended to protect the personal data of European citizens and assist with online privacy.
The regulation provides rules for organizations that utilize, process or control data of European Union (EU) citizens in the 26+ European countries, regulations that include stricter rules about receiving consent to utilize and process the personal data of the EU Citizens.
Wording used when requesting consent must be clear and easy to understand. Failure to do so can lead to fines and other consequences that leave little room for error.
These rules will affect all companies who operate in the EU or who use EU citizens’ data. The revised regulation that goes in to affect this May, expands who the regulations impact. The regulation includes U.S. companies even if the company does not have a physical office in the EU.
U.S. based companies that use personal data, control data and house data are impacted by these new regulations. The regulation determines the purpose, conditions and means of processing personal data and outlines what data protections are necessary.
The new regulation now requires the security and protection of the following types of personal data:
- E-mail Address
- Banking Information
- Medical Information
- Social Network Posts
WHAT DOES THE NEW REGULATION SAY ABOUT ENCRYPTION, KEY MANAGEMENT AND ACCESS CONTROLS?
The new regulation will likely affect day to day operations. It will require a full evaluation of security measures in place to protect Personal Data. This should include an evaluation of your company’s risk of a possible data loss and/or falling victim to a data breach. The enforcement of encryption is a common security step taken by companies today. If the company should waive the usage of encryption, the firm could be subject to new consequences and penalties. GDPR requires the use of up-to-date technology. Your company should be diligent with the need for encryption key management as well. Controlling encryption keys will help the company reduce the risk of a data breach.
Another requirement is businesses must have the ability to remove personal data from their digital storage should an individual request it. Firms will need to find ways that allow information to be shared efficiently, while allowing for time limits, restrictions and removal of what content.
Effective enforcement and compliance will require companies keep records of the information it stores. The company will be required to document it has maintained compliance with the new regulations.
Companies involved with the access, storage and processing of personal data could hire a third party to manage privacy and data protection policies. If these records are maintained effectively, companies can validate GDPR compliance.
The maintenance regulations of GDPR may require the appointment of a Data Protection Officer (DPO). The DPO is a required position if your company is:
- A public authority
- Carrying out large-scale processing of special categories of data
- Handling any data that relates to criminal convictions and offenses
Failure to appoint a DPO can lead to hefty fines.
Example: Should an encrypted email with personal data be shared, it will be required that there be an expiration date that causes the information to be deleted automatically after a set amount of time. This helps protect the personal data from risk of being hacked and then sold.
GDPR holds businesses accountable to secure the personal data of Europeans. Companies must also allow for individuals to consent to the use of their data and allow for easy removal of personal data if requested. IMA is more than willing to answer questions about the new General Data Protection Regulation (GDPR) as May 25, 2018 approaches. GDPR compliance provides unique challenges, but with the right resources companies can be compliant before the new regulations are enforced throughout Europe.
CONTACT A SPECIALIST
Please be advised that this communication is an educational and informational resource only. The views and statements expressed herein are not to be construed as legal advice from the authors or IMA and such communication is not protected under the attorney client privilege. Recipients should seek specific legal advice from competent legal counsel of your choice.