The Future with GDPR
If your business is trading information with any party located in the European Union (EU), whether it is directly or through a third party, you will be aware by now of the new GDPR regulations. The GDPR was specifically enacted to protect the data information that is held by companies globally on citizens of the EU in order to ensure that the information is kept safe and that people have access to any information that is held on them by any company.
Now that the regulations have taken effect, you might wonder what is next. A main aspect of the GDPR is the idea of creating privacy by design, which businesses can accomplish by making sure that the data they collect on users is minimalized. Companies must now have in place a data protection officer in their employ, which can be an employee who also has other tasks and takes on the new duties within their current role, or it could be a new position which is created. The tasks which a data protection officer must take on is being a central contract for any user located in the EU to pursue their ‘right to be forgotten’ under the GDPR. This will mean that the DPO has an email which is publicly available on the website that any user can write to request their information for review or deletion, or substitution with up to date details.
The need to keep data safe within a business will obviously extend to the computer securities which businesses have in place, and they will need to be at the highest level of security available. In cases of a breach of data protection, a business can now face extremely large fines, with more serious cases being open to liability up to 4% of their annual global income, or $20 million (whichever is greater). For less serious offenses there can be fines levied of up to 2% annual global income.
Being aware of the data protection steps which other businesses who deal with your business in the sharing of any information has is also important. A business can be held liable for a breach of data protection which happens by a third party whom that business shared private user details with, so it is important to ensure that all third parties whom your business shares personal data with is likewise following the GDPR.
This need to comply with the GDPR extends to any business who opens themselves up to dealing with any citizen of the EU, regardless of where the business is located globally. This is why many US businesses have been busy creating compliance with the GDPR, including through certifying with the Privacy Shield. Companies are also required to notify the data protection commissioner within 72 hours of any breach in personal data. There is also a responsibility on businesses to notify the subject of the data breach if it is of a serious nature so as to pose a high risk to their rights or freedoms, such as if banking or personally identifiable data is at the subject of the breach.