As cybercrime becomes more prevalent, international governing bodies and individual governments have set standards for cybersecurity in companies that handle their customers’ data. I’ve previously talked about the FTC and the NIST Cybersecurity Framework on this blog, but now I’m going to explain the European Union’s General Data Protection Regulation, also called the GDPR. The GDPR effectively replaced the E.U.’s privacy law from 1995. It is a wide-ranging, practically global, privacy, and data security regulatory scheme that affects anyone who touches European Union citizens’ data. Companies that aren’t compliant are punished with massive fines. But what if you’re a company based in the U.S.? Can these fines reach you over the ocean? They most certainly can, and the E.U. has no problem fining American companies that operate in Europe and have data from citizens of the E.U.
When I say fines, I mean hefty ones. Violators can be fined up to 4% of their revenue or 20 million euros, whichever is higher. With consequences like that, you need to know the rules and stick to them if you want to process or control European Union citizens’ data, regardless of where you are based. To illustrate just how much this fine is, I’ll go back to TalkTalk, a company in the U.K. that had a data breach and was fined 400,000 pounds. Under the GDPR, that fine would have been 59 million pounds- quite a difference. And while the GDPR has some very technical language and phrases that are commonplace in Europe but rare in America, Article 4 of the document contains definitions of all of these problematic terms so that anyone could understand it if they spent enough time reading.
The GDRP was written and released on May 4th, 2016, but was not enforced until May 25th, 2018, giving companies two years of prior notice before the regulations came into effect. The GDPR has over 200 various provisions with many sub-parts, but it comes down to two core areas: substantive privacy rights and substantive security requirements. The privacy rights are detailed in a chapter of 18 articles, giving the data subjects the right to, essentially, transparency. The ability to access your data, change it if it’s wrong, and even remove it are all detailed. However, it must be anonymized as well. The security requirements are about data controllers (who has the data) and data processors (who works with the data). So, a data controller could be a bank that holds account information, and a processor could be the company that prints bank statements with that data on it. I’m going to put this on hold for now, and next week I’ll write some more about the liabilities of data controllers and data processors.