Have you been noticing more and more ‘policy changes’ emails popping up in your inbox lately? Don’t worry, you aren’t going crazy. You are receiving them, because global businesses are preparing for the effective date of GDPR, or General Data Protection Regulation.
What is GDPR?
GDPR is a law that has been in the making since 2012 but is in effect today, May 25, 2018. Passed by EU Parliament, the GDPR intends to give people located in the EU control over their personal data and security in how businesses can use and store that data. The U.S. calls personal data by another name: personally identifiable information (PII). It is as simple and complex as it sounds. The Wall Street Journal defines it as “any data that can identify you,” which includes your name, appearance, usernames, location data, and even your IP address. GDPR requires businesses to make sure data consent is “freely given, specific, informed, and unambiguous.” This will eliminate long Privacy Policies full of legal jargon that users click accept without reading or being able to understand the stipulations, and it brings a better understanding for everyone involved in how personal data is being used.
Not only is GDPR about users/customers consent to sharing personal data, it also outlines security breach protocols. GDPR instates a 72-hour breech notification rule. Forbes explains, “When there’s a breach involving ‘accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed,’ then IT groups will need to analyze whether the exposed or affected EU personal data identifiers can cause ‘risk to rights and freedoms’ of EU data subjects.” This will eliminate the secrecy of data breaches and mandate that users and customers have the need to know of such events.
Violations of GDPR are broken down into tiers and the punishments are not cheap. Fines for the first, and lowest, tier include $24 million dollars or 2% of global revenue, whichever is bigger. With GDPR’s focus on personal data consent and protection, many businesses around the world are changing their privacy policies to fit their EU consumers.
It's for the EU. Why does it matter to me?
American companies and citizen commonly think the new law does not apply to them, but it can be quite the misconception. Forbes points out, “U.S.-based hospitality, travel, software services and e-commerce companies will certainly have to take a closer look at their online marketing practices. However, any U.S. company that has identified a market in an EU country and has localized Web content should review their Web operations.” GDPR applies, only if you have a market in an EU country and target that market by making references to EU users and customers. Under GDPR, no financial transaction is necessary to fall into the guidelines. If your business has an EU market, you may want to reach out to a Managed It Service Provider, like Access Systems.
How can Access Systems help?
Access Systems is well versed in a variety of security compliance criteria including our recent ‘SOC 2’ examination. If you are concerned about how your business may be impacted, give us a call, 515-987-6227. Our security specialists are here to keep you protected.