Data and privacy seem to be the buzz words at the moment, and rightly so. With us now living large amounts of our lives online, data is being collected, processed, stored, and used in ways we have never imagined. In the wrong hands, the personal data collected can be both priceless and deadly. So, in an effort to protect the citizens of European Union (EU) countries, the EU government has devised a new set of stringent rules for all companies trading in the EU to protect consumer data as if it were a state secret. Just like most laws and regulations, though, they can be confusing, but this is not a time to be complacent because failure to understand and/or comply could see you and your business in very hot water indeed. So, what are the rules and why do you need to know them?
GDPR – General Data Protection Regulation
The General Data Protection Regulation is a new standard for consumer rights and the protection of consumer data. Born out of need, the new (-ish) regulation, which was established in 2016, replaced an outdated model from 1995 – a time when many processes were still reasonably analogue, including operations relating to data collection.
Essentially, the new regulations require businesses to go above and beyond to protect the privacy of their EU market by complying with laws relating to transactional data incurred within the 28 member states and the exportation of such data across borders – whether those borders be tangible or not.
Consequently, businesses must ensure that information is:
- used fairly, lawfully, and transparently
- used only for stated and clearly expressed purpose
- used in a way that is acceptable, appropriate, and limited to what
- is deemed necessary correct and, where required, updated regularly
- expunged when no longer needed
- handled in a way that guarantees appropriate protection against unlawful or unauthorised processing, access, loss, destruction, or damage
Like everything EU related, it is about legal cohesion, so instead of a bunch of different laws stipulated by each country and about as varied as EU culture itself, organisations now only have one unified regulation for all member countries within the EU. In theory, this should make things easier for businesses as the amount of red tape is reduced, but, unfortunately, as the regulation standards are so high, companies are often required to invest large amounts of money to ensure compliance with regulation guidelines.
Although the UK is no longer a member of the EU, GDPR still applies and is overseen by the Information Commissioners Office (ICO).
What types of data do the new regulations cover?
Data is currently one of the world’s most important assets. With everything becoming electronic, the very essence of who we are can be found online – from where we live and what we like to how we voted in the last election. Therefore, there is a growing concern over how that data is handled and whether it is being kept safe and secure.
The GDPR, then, is aimed at protecting data such as:
- Basic identifying information such as names, addresses, and ID/social security numbers
- Web data including IP addresses, cookie data, location, and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
Who needs to comply with the regulations?
Simply put – if your business is in any way processing any of the above-mentioned data points from citizens within EU states, then you are legally required to comply with the laws. With Brexit having finally arrived at our doorstep, this is particularly important for companies located in Britain but with a customer base that still spans Europe as Brexit/EU laws and agreements remain a little up in the air. Regardless of this, though, EU law still reigns supreme right now, so as the privacy and protection of the consumer data is the issue, the location of the company, or processor, is seen as irrelevant.
Who is responsible for compliancy?
There are more roles that are responsible for playing their part in GDPR compliancy than you might think. Whether it be personally or professionally, our society functions on a system of integrated networks – as do our businesses – so responsibility falls at the feet of many, not just one, and those people will often be the data controller, data processor, and data protection officers. But external contractors, such as cloud providers, can also be liable, which is why it is essential that you partner with service providers aware of the regulations and what needs to be done to comply with them, so both your customers and your business remain protected.
Compliancy is necessary
To be compliant, you need to know the laws or trust that the people you have teamed up with know them and know what needs to be done so that you are complying with them – NetworkIQ can help. Call our expert team today to learn more.