It might seem like the GDPR appeared out of nowhere. It may seem particularly weird if your business is focused elsewhere like the United States or Asia. You may wonder why it matters. So, what does this new Euro-law mean if you don’t have significant EU business interests?
What The GDPR Means to USA Companies
The European Union has been building up to this day for many years. In 1995 the EU published the Data Privacy Directive, not a regulation but the principles were guidelines that the countries of Europe were encouraged to implement at the national level.
Now, with the GDPR has gone into force and since May of 2018, which means that its Articles are now the law if you hold data about EU citizens. These laws apply to how any organization or business can handle the personal identifying information of the citizens of EU countries. Any company that transfers, stores or processes this data can face legal action if they fail to comply.
So, it matters to you if you hold data, create accounts, or accept memberships about EU citizens. It could apply if you allow a third party vendor to do the same on your behalf. If you provide storage, processing or network infrastructure for third parties, you could be on the hook for their GDPR liabilities too.
The New Muscles from Brussels
European courts under the supervision of the Council of Europe will impose fines that could be €20 million or four percent of your global revenue. If you’re a small to medium sized company operating on a low margin that could be a killer blow.
You’re not in Europe? Here’s the thing, the way international laws work, your country is likely to confirm any EU ruling under the regulation. Unless you want to be some kind of Dark Web outlaw, there’s no place to hide.
The GDPR didn’t just appear overnight. There were two years between implementation and enforcement. The regulation follows on from the 1995 Data Protection Directive.
The Eight OECD Privacy Principles
The source of the rules comes from a document adopted by the United States and Europe in 1980. The OECD Privacy Principles document laid out eight principles, which Europe has used as the basis for the current legislation.
- Collection Limitation Principle – There should be common sense limits to the data you collect. You can’t just drag a net through the subject’s life.
- Data Quality Principle – Any personal data you collect must be relevant to the purpose for which you obtain it.
- Purpose Specification Principle – The purpose for which you collect the data must be specified before you begin gathering it.
- Use Limitation Principle – You should not disclose the data without the expressed consent of the subject and the legal basis to do so.
- Security Safeguards Principle – The data should be protected against breaches, unauthorized access, or destruction.
- Openness principle – Your policies and practices should be transparent and available for review by the subjects.
- Individual participation principle – Individuals should have the right to determine whether you hold data about them or not. You should respond to inquiries about data openly and within a reasonable amount of time. Subjects should be able to access the data you hold about them and demand corrections and deletions.
- Accountability principle – As the data controller, you should take responsibility to comply with these principles and be accountable for the identifying information that you hold.
The GDPR encodes these principles in its ninety-nine Articles. The regulation attempts to capture the spirit of the Eight Principles and shift power away from large data-gathering entities and back to the individual.
Data Protection in Defense of Personal Privacy And Democracy
While other countries have data protection plans to emulate the EU’s rules, you probably already feel the impact if you collect, process, or store data. The risks of having the data of EU citizens on your servers and mishandling it are quite high in theory. The regulations apply whether you work directly with customer accounts or provide a platform for third-party service providers.
If you believe in democracy and personal privacy, data protection is a shield that protects both of these worthy goals. Europe has taken the lead for now, based on the solid foundation of the OECD’s eight Privacy Principles. I suspect these points will inform future laws in other countries too. The exceptions are likely to be authoritarian nations that value power over principles.
It’s still early days for data protection. The first prosecutions have yet to get to court as I write this post. We have yet to see how sharp the teeth of the GDPR will be. One thing is sure, the scope and possible risks of handling EU personal data have made the global information technology industry collectively sit up and listen.
Comments on this entry are closed.