The General Data Protection Regulation (GDPR) becomes enforceable on May 25th, 2018 and it will have sweeping effects on how companies, particularly ones outside the European Union, handle their customers’ data. GDPR requires Data Protection Officers to be present in any public authority that processes data, and even the private sector is required to have them. Any company that works with large amounts of data, whether it be the collection or use of said data, is required to have a Data Protection Officer on location to ensure that all regulations are being followed. These Data Protection Officers aren’t just responsible for the legal knowledge of how to apply the privacy laws associated with GDPR, they’re required to have an extensive knowledge of cyber security and IT skills. Data Protection Officers will also require a support team to assist them in their work as they work to keep companies in line.
GDPR requires data to be Pseudonymized, which means that any personal data that’s collected is individually useless for identifying the person the data came from. Companies must be able to see your age, height, search history, and a dozen other factors without them being linked in a way that lets them put a face and a name to that data. Under GDPR, data controllers are required to notify the authorities within 72 hours of a data breach or face the repercussions.
These GDPR violation punishments are titled “Sanctions” and vary in severity from
- A warning
- Annual, or more frequent, data audits
- 20 Million Euros or 4% of income, whichever is greater
These sanctions seek to keep companies in line by levying hefty fiscal penalties against them for failing to comply with the GDPR. The GDPR requires that companies allow people whose data is being used by a company to be aware of it and they must be able to request access to what their data is being used for. Companies must provide clear, understandable guidance to anyone who requests information and failing to do so could see them sanctioned. One thing to note is that there are only those three types of sanctions, so companies aren’t going to have a lot of wiggle room. A single mistake might get you a warning, but repeat or serious offenders are going to find themselves drowning in fines and audits. GDPR also requires that any data privacy settings initially be set high or to their highest without input from the user. If a user wants to lower their privacy settings or allow more access to their data, they are free to do so but companies can’t take advantage of new users unless they want to suffer the consequences.
Max is a Legal Assistant and author residing in the Philadelphia area He has been writing for AskCyberSecurity.com since early 2017.