How many times a day do you think about data privacy and security?
Whatever your number is, it’s about to increase! The upcoming General Data Protection Regulation (GDPR) is setting the new standard for data privacy and security across the European Union (EU) and beyond by establishing data privacy as a fundamental right for all EU citizens. That means it’s time to start keeping your data, and the data of your customers, top of mind.
According to the EU’s informational website, the GDPR serves “to give citizens back control over of their personal data, and to simplify the regulatory environment for business” Notably, the GDPR doesn’t just impact those who reside or process data in the EU – everyone who offers goods or services, or monitors data, to citizens of the EU will be affected. It bears repeating: Any company that processes personal data of those in the EU must comply with the new regulations.
Considering that it’s been more than twenty years since the Data Protection Directive, there are many changes in the new act worth examining. We outline the latest – and what it all means for you – below.
GDPR changes in 2018
The regulation states that organizations are responsible for all personal data processed from or residing in the EU – even if the organization is not located in the EU. This applies to “controllers” (the organization collecting the data) and “processors” (the organization acting on the data collected) of personal and sensitive data, which is summarized in this article as: “a complex category of information, broadly means a piece of information that can be used to identify a person. This can be a name, address, IP address... you name it. Sensitive personal data encompasses genetic data, information about religious and political views, sexual orientation, and more.”
Along with the increased data coverage, the GDPR changes the meaning of consent for companies impacted. It strengthens the conditions of consent, outlining that it must be as easy to withdraw consent as it is to give it. In an important clarification, UK Information Commissioner’s Office says: “There must be some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity.” Additionally, the purpose for collecting the data and its processing must be clear and distinguishable to the user while giving consent.
The GDPR has a new focus on accountability, requiring organizations to demonstrate how they comply with the data protection principles. Specific changes to take note of include:
The Right to Access: Once the GDPR is enforced, requests for personal information can be made for free – including what data is being processed, where and why. Wired UK sums up the benefit of this change best, saying that the GDPR “gives individuals a lot more power to access the information that's held about them.”
The Right to be Forgotten: This gives data subjects the right to have the controller immediately erase their data, cease dissemination of the data, and halt processing of the data. This could be as simple as withdrawn consent from the user or removing data which may no longer be relevant. Of course, this isn’t a cut and dry subject – controllers are allowed to refuse in certain situations and are guided to, “compare the subjects’ rights to ‘the public interest in the availability of the data’ when considering such requests.”
Data Protection by Design and Default: This concept is not new, however, it is now being enforced directly through regulation. With the GDPR requirement for data protection by design and default, “Businesses will now find themselves subject to a specific obligation to consider data privacy at the initial design stages of a project as well as throughout the lifecycle of the relevant data processing.” This means that from the outset of a project, it is required to incorporate security in regards to personal data, rather than bolting it on at the end (which many projects, unfortunately, do now). The failure to document and properly incorporate protection by design and default can be an aggravating factor to penalties and an important way to keep safe as an organization.
What the GDPR means for you?
The GDPR will be enforced beginning May 25, 2018, by each country within the EU and the Information Commissioner’s Office in the UK. Throughout this article, we have mentioned the UK along with the EU interchangeably. This is because from all we have seen from ICO, Brexit will not affect the core tenants of the GDPR and the UK will uphold the GDPR as it has always planned prior to leaving the EU.
Make no mistake, the GDPR will impact many organizations – both inside and outside of the EU – and compliance is critical. To ensure adherence to the regulation, your organization can be fined for anything from processing data incorrectly to failing to have a data protection officer (if one is necessary). In terms of penalties, there is a tiered approach to infringements based on the size of the breach and aggravating factors. The maximum fine which can be imposed on organizations in cases of severe breach of the GDPR is “up to 4% of the annual global turnover of $20 million Euros (whichever is greater).”
As technology continues to impact how business is done around the world, the EU strives to strengthen data protection with GDPR. And while the risk of a large penalty is present, the GDPR is focused on the rights of people to the “5 W’s” their data is processed (Who, What, When, Where, Why). The best way to ensure that you’re compliant and your data is safe in light of these upcoming changes is to ensure a security by design posture is taken by your organization. Lockr can assist with this by providing critical data protections by securely providing storage for secrets such as API tokens and encryption keys. Lockr’s architecture and design protect against critical vulnerabilities and delivers security to help sites comply with industry regulations like the GDPR all while being simple to integrate.
Lockr is the first hosted API and encryption key management for content management systems – such as WordPress and Drupal. With Lockr, you can keep your website secure, choose where and how you want your data stored, and stay in control of your information all in line with the best practices of the GDPR. To prepare for the GDPR changes and learn more about Lockr, you can set up a trial account here.