The GDPR (General Data Protection Regulation) is set to usher in the next era of European digital compliance this May. As the latest set of European Union (EU) regulations regarding consumer rights, the GDPR has been proposed in order to strengthen and unify data protection for individuals, and address issues with exporting data outside of the EU.
This will mean changes to the way in which many businesses which operate within the EU handle and process customer data. Keep reading to find out how.
Update (5/10/2018): Learn how to prepare your Magento 2 store for GDPR.
What is the General Data Protection Regulation (GDPR)?
The GDPR is a new set of online data security regulations which have been adopted by the EU and will be put in place by May 25.
The main things you need to know are that the GDPR will increase the definition of what constitutes personal data, change the way in which you handle that data, and provide individual EU consumers with increased control over their personal information.
While online data security and consumer rights protections have existed for a long time – in the form of the Data Protection Directive – its definitions and mechanisms date back to 1995. The internet has changed a lot since then and new regulations have long been needed.
The GDPR will apply to all EU member states and any business which is active within them. For many companies both inside and outside of the EU, this will mean a change of strategy in order to continue working within Europe.
Why do we need the GDPR?
In a sentence: because data protection and privacy issues are increasingly becoming a problem.
As internet technology continues to grow so too does the frequency and effect of data breaches. In 2013, there were over 575 million of them. By the first half of 2017, that number had increased to over 1.9 billion. Over 95% of those breaches involved unencrypted data which was not being suitably protected. How does this affect consumers and organizations? By 2019, the total global annual cost of all data breaches is expected to exceed $2.1 trillion in damages.
The GDPR aims to try and reduce these figures by creating a set of data security standards. These are standards which organizations and businesses which operate or have an entity in Europe will need to follow. For some, these increased protections are just “common sense” data security ideas which should have been implemented long ago. For others, they are serious concerns which their business has yet to fully address. In a survey by Deloitte, it was found that just 15% of respondents expected to be fully GDPR compliant by the deadline.
Who Will Be Affected by the GDPR?
Your business will be affected by the GDPR if you are storing or processing information on EU citizens, even if your business or processing centers are not located in the EU.
As the GDPR documentation states:
“This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the [European] Union, regardless of whether the processing takes place in the [European] Union or not.”
How Will the GDPR Work?
Current data security regulations already require security for names, addresses, and basic ID numbers (i.e. social security). The GDPR aims to take this and provide similar protection for individual IP addresses, cookie data, and more.
By securing this information in a more stringent manner, protection against data breaches and information theft will hopefully decrease. However, you should note that the GDPR does not just address what type of information is protected, it also addresses how it is protected.
Data the GDPR Will Protect Includes:
- Names, addresses, and ID numbers
- Location data, IP addresses, cookie data and RFID tags
- Biometric data
- Health-related data
- Political opinions
- Sexual orientation
- Racial and ethnicity data
Additional GDPR Roles
There are three main roles which have been defined by the GDPR which will need to be filled. These roles are responsible for implementation and compliance with the GDPR. They include:
- A Data Controller – Responsible for deciding on how personal data is processed and why it is processed.
- A Data Processor – Responsible for maintaining and processing personal data records, as well as ensuring that processing partners also comply.
- A Data Protection Officer – Responsible for overseeing the data security strategy and making sure that you are GDPR compliant.
According to the new GDPR guidelines, consent will become a major factor in the storing of personal information. Consent must be explicitly given by those providing personal information and data controllers must be able to prove this. Furthermore, if an individual would like to withdraw consent, they are able to at any time, whereupon data must be deleted.
GDPR Pseudonymisation is a process whereby information is transformed so as to not be attributable to a single individual without secondary verification. This means that personal data must be made “unintelligible” without the use of a secondary set of information by which to understand it. This may mean using encryption, or it may mean adopting a tokenization system.
GDPR Data Portability
Data portability concerns “the right for a data subject to receive the personal data concerning them”. This means that data must be portable and easily transferred to its subject in a ‘commonly used and machine readable format’.
By When Do I Have to Be GDPR Compliant?
GDPR compliance will be required by May 25, 2018.
What Are the GDPR fines?
Fines for those who are not GDPR compliant will vary depending on the severity of non-compliance. At this point in time, examples of GDPR fines have not been released.
However, it has been indicated that fines of up to €20 million, or 4% of the worldwide annual revenue of the prior fiscal year, are likely for those who have not followed the basic principles for processing or conditions for consent.
For those who have not managed their monitoring bodies or controllers and processors of the GDPR, fines will instead be up to €10 million, or 2% of the worldwide annual revenue of the prior fiscal year.
Nexcess and GDPR
In order to help clients who will be affected by the GDPR, Nexcess will be GDPR compliant. We are currently working to ensure that our policies and procedures comply with the General Data Protection Regulation (GDPR).
In the coming weeks, we will be making sure that you are informed of any changes which take place to Nexcess’ services. At this point in time, we fully believe that you will be satisfied with those changes.
Note that this guide does not constitute legal advice and is rather an overview of the regulation changes which will take effect. For a full breakdown of the changes taking place, please consult the agreed text from the EUGDPR.org website.Posted in: General