Data is a hot topic these days, and often in a bad way. Think about all the massive breaches, like at Yahoo, where 3 billion accounts were compromised or Equifax which yielded up the Social Security numbers of 143 million customers. Then there’s the recent accusations of Cambridge Analytica using data it has collected for things it didn’t inform people it was going to use it for, namely the hyper-targeting of individuals for political ads.
Our personal data has become extremely valuable and business and political organizations are increasingly interested in finding different ways to utilize “big data” for their benefit. We can all probably agree that our data should be closely guarded, and our consent ought to be required to use it, but at the moment that often simply isn’t the case. But who’s going to do anything about it?
Well, the European Union (EU), that’s who. Yes, just like a slightly bureaucratic-looking superhero with a starred blue cape, the European Union has decided to implement the most comprehensive international data protection legislation yet. It’s called the General Data Protection Regulation or GDPR for short.
It does not have quite the widespread appeal of Superman or Wonder Woman, and is also possibly the most boring comic book of all time, with its 99 articles written in polysyllabic legalese and a distinct lack of pictures. However, while the GDPR may be far from the data superhero we want, it’s definitely the one we need.
As you can imagine, the actual legislation is quite voluminous, but if you don’t happen to have the time to get read through the whole thing, we’ve decided to help out by distilling the document down and serving you up the most important parts.
What is meant by Personal Data?
In the General Data Protection Regulation, “data” is defined as any information which can directly or indirectly be used to identify someone. This includes everything from the very obvious, like names, an international contract, bank details, and medical information - to the less clear, such as IP addresses and photos.
Who does the GDPR apply to?
The GDPR applies to any organization which holds or processes this personal data relating to EU citizens. It not only applies to businesses located in the EU, but also applies to organizations outside the EU that offer goods or services to EU data subjects, or monitor the behavior of EU data subjects. This is an extremely broad scope and in essence applies to anyone doing business in the EU. For example, consider a circumstance under which you offer to provide services to a French person. In the process, you obtain personal information, such as the French person’s name, telephone number, and email address. You are now obligated to comply with the GDPR and protect the information.
When does the GDPR take effect?
The EU is currently governed by the 1995 Data Protection Directive (Data Protection Directive 95/46/ec). The provisions of the GDPR are scheduled to take full effect on May 25, 2018.
What happens if you don’t comply?
The punishments for non-compliance are in a tiered system related to the severity of the charges. They allow for an organization being fined up to 4% of their yearly revenue, to a maximum of €20 million.
- Firms must have consent for all uses of data. They are also required to obtain this consent in very clear language, not by trying to use complicated phrasing to hide their intentions.
- EU citizens will have the right to access all the data about them which is being processed, completely free of charge. Organizations must provide this information to them within a month.
- The controversial right to be forgotten means that EU citizens can ask for the erasure of their data if it fits certain conditions, such as no longer being relevant to its original purpose.
- If an organization is aware of a breach it has 72 hours to inform the appropriate authorities. For individuals, they must be given this breach notification within a month.
- Data cannot be transferred outside of the EU to a jurisdiction which cannot guarantee the same level of data protection.
How can ContractSafe help?
The GDPR will be implemented soon and it’s time for all affected businesses to make sure that they are in compliance. To make life easier for our customers, we offer the option of hosting their data in the United States or within the EU. This makes it simple to ensure that any EU-related international contract or other information, remains fully compliant with the GDPR. We’re just doing our bit to help GDPR, the data privacy superhero, do its important work. Perhaps that makes ContractSafe the true superhero in this story! Contact us today for your free trial.