The Impact of GDPR Outside the EU
Moreover, organizations collecting this data must allow users to take their data with them or delete it entirely if requested. Compliance audits will become regular events. GDPR mandates privacy by design and by default. A quick interpretation means that users must “opt-in” rather than “opt-out” of data collection schemes.
Data minimization, purpose and storage limitations are important principles in the new regulation. Simply put, don’t collect more information than necessary, don’t use it for purposes other than what you state, and store it only as long as needed. Exceptions do exist for health, public safety, and national security reasons.
Within each EU member state, the GDPR establishes the position of Supervisory Authority, a government official responsible for overseeing the implementation and enforcement of the regulation. When organizations detect a breach of EU citizens’ personal data, they are required to report it to the Supervisory Authority in each affected Member State within 72 hours. The use of encryption on PII can be a mitigating factor in data breaches, which may obviate the need for disclosure to data subjects.
Ideally, data about EU citizens should be housed within the EU. GDPR has provisions for data transfers outside the EU, and the best way to avoid being subject to these conditions is to keep it local. One weakness of GDPR is that it doesn’t adequately define the term “third country”. This will likely cause additional legal debate.
In cases where regular transfers of EU subject data are expected to occur between Member States and other countries or international organizations, the EU Commission may make “adequacy decisions” which facilitate these exchanges. One such example is the EU-US Privacy Shield. The EU-US Privacy Shield framework replaced the former Safe Harbor, which was ruled invalid by the European Court of Justice. Companies may apply and self-certify that they meet the criteria contained therein.
With a little over a year to go before GDPR implementation, now is the time to prepare. To help customers comply, software vendors, e.g. IAM, IaaS, SaaS, and marketing solutions providers, need to:
- Build fine-grained consent options into their UIs
- Provide granular data encryption capabilities
- Respond to personal data export and data deletion requests
- Where appropriate, allow parents or guardians to control the use of children’s PII
- Develop GDPR compliance auditing and reporting tools
Organizations that have European operations or do business with EU citizens will need to:
- Inventory all data
- Conduct data privacy impact assessments
- Encrypt PII data at rest and in transit
- Modify privacy policies, data collection processes, and data handling procedures
- Develop rapid data breach notification processes
- Add mechanisms to customer portals so that users can provide consent to data usage
- Possibly migrate and prune PII from systems
- Apply for EU Commission approved transfer adequacy programs, e.g. EU-US Privacy Shield
GDPR will certainly enhance EU citizen privacy, but the fines for violations could be substantial. Make sure your IT systems and processes are ready.