GDPR: What information is protected and who must comply?

GDPR: What information is protected and who must comply?

Have you noticed that businesses are frantically reviewing all their data capture and processes now more than ever? Have you experienced a new-found respect for your time and privacy from newsletter publishers and e-marketers asking you whether you’d like to continue receiving their emails?

Then, you can thank the European Union (EU) for its newly enforced General Data Protection Regulation (GDPR), which went into effect on May 25, 2018 (after two years of preparation and debate). This law gives all citizens in the EU more control over how companies collect and store their data -- even companies outside the EU.

GDPR aims to establish digital privacy as one of the fundamental rights for residents in all 28 EU member states. It requires any company dealing with personal data to state how the information will be used, and to give users the opportunity to forbid these practices.

Personal data would, of course, also include personally identifiable information (PII), protected credit information (PCI), and protected health information (PHI).

The U.S. Federal government requires organizations to identify PII and PHI and handle them securely. Unauthorized release of these data could result in severe repercussions for the individual whose information has been compromised, as well as for the government entity responsible for safeguarding that information.

PII includes personal identification numbers, such as a driver’s license number or a passport number. In the case of PCI, there are regulations such as the Fair Credit Reporting Act (FCRA) that protect consumers from the willful or negligent inclusion of inaccurate information in their credit reports. Then, there is also the Health Insurance Portability and Accountability Act (HIPAA), which required certain security regulations to be adopted for PHI.

GDPR also makes it clear that consent can be withdrawn and revoked at any time for data capture and processing by businesses. This was Originally known as the ‘right to be forgotten’, where data can be completely removed or deleted. The GDPR legislation has been watered down and termed ‘the right to erasure’.

This brings us back to those wonderfully polite email newsletters. If you store EU-based email addresses, even if you're a small US company, you need to follow GDPR standards.

One thing businesses must do is request user consent through an explicit “opt-in” checkbox or signature form. So if your website has submission forms with boxes that are ticked by default, you can say bye-bye to them!

Here are some other things you need to know.

Why is GDPR important?

GDPR has already made its presence felt. It applies in Europe, obviously, but also affects foreign companies. U.S. firms that have employees or customers in Europe need to make drastic changes, and GDPR has already shut down several news websites and initiated a billion-dollar lawsuit against Google and Facebook. But small businesses must make changes, too.

Any company that stores or processes personal information about EU citizens must comply with GDPR, even if they have no business presence within the EU. Here is how the law defines who needs to be compliant:

  • A company that does business in the EU (e.g., eCommerce or physical presence)
  • A business without a presence in the EU, but that processes personal data of European residents

Any business that meets any of these standards and has over 250 employees needs to follow GDPR. Supposedly, there's an exemption for businesses smaller than that, but the law says if a small business with its data processing impacting the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data, then it also needs to comply.

That effectively means almost all companies. It comes as no surprise why 92 percent of American companies state that GDPR compliance is one of their top priorities at the moment. According to an Ovum report, about two-thirds of U.S. companies believe that the GDPR will require them to rethink their strategy in Europe.

What data does GDPR protect?

We’ve used the email address example a few times, but there’s a lot more information that falls under the protection of GDPR:

  • Basic identity information such as name, address and ID numbers
  • Web data such as location, IP address, and "cookies" that use browsing history to pick which ads to show
  • Health and genetic data
  • Biometric data
  • Racial or ethnic data
  • Political opinions
  • Sexual orientation

You then ask yourself: Why should I care? How does it affect my business here in Huntsville? Here are some changes that will impact how you operate in a GDPR world:

On the technical side of things, you'll be required to identify the affected data, conduct a risk assessment determining the probability and damage of each scenario, create a protection plan, and nominate a protection officer.

From the marketing side of things, the inability to send unsolicited emails to targeted mailing lists or collect addresses without explicit consent is now in effect due to GDPR. You will need to revamp your digital marketing strategy to reach a wide audience without running afoul of regulations. Focus on creative and valuable content.

Thankfully, GDPR specifically states that all of this can be handled by an outsourced IT security solutions provider like F1 Solutions!

This is just a general overview of how GDPR might impact your business. F1 Solutions is here to advise you on any of your GDPR questions or needs. Call us today.

Need help finding ways to reduce business costs? Our FREE eBook has the answer.Learn more here