In anticipation of the passage of the GDPR, we at Prospus have had one primary question: how will GDPR affect our customers? Our aim with this series of articles is to provide meaningful information in digestible chunks, rather than unclear academic or legal documents. To that end, we have condensed GDPR compliance into a readable summary intended for those tasked with ensuring their web and mobile products and services are GDPR-compliant. We will regularly add to this series, so feel free to follow along.
In May 2016, the European Union (EU) passed the General Data Protection Regulation (GDPR) with the intention of replacing the regulations of the 21-year old Data Protection Directive (DPD). Under the DPD, the 28 EU member states were allowed to set their own data privacy and security rules, creating great variety of regulations across the continent. However, after May 25, 2018, all organizations providing software solutions to EU citizens are subject to uniform data protection requirements under the GDPR. Non-compliant organizations will face hefty fines.
A number of factors prompted the EU to pass this sweeping regulation,
- Changes in users and data. The number, types and actions of software users are constantly increasing and the amount of data they are sharing with organizations is growing exponentially. Organizations are accumulating, processing, trading, and sharing data in ways that many people are uncomfortable with. It is often unknown where data resides, who can and who is accessing it, and what happens if it is accessed maliciously.
- Changes in data access and processing. The cloud, social networking, smart cards, and an array of digital and mobile devices flung open the door to data security threats. Aware of this globally changed landscape, the EU enacted regulations that recognize that “the protection of natural persons in relation to the processing of personal data is a fundamental right.”
Under the GDPR, individuals will have the right to access, correct, and erase their personal data, in addition to objecting to processing it and and exporting it for their own use or reference. Organizations will be secure personal data, provide controls and notifications for individuals to interact with their data, gain clear consent for processing data, as well as notify authorities of personal data breaches. Additionally, organizations will have to provide clear notice of data collection, outline processing purposes and use cases and define data retention and deletion policies, as well as record transaction details for all processing.
The implications are far-reaching, and most organizations will need to train privacy personnel and employees, audit and update data policies and perhaps even employ a Data Protection Officer. Vendors will also be compelled to share their own compliance efforts, in effect ensuring a network where non-compliance has immediate monetary impact. Though other countries have not enacted such comprehensive privacy legislation, it is believed that most major countries will follow suit.