An explainer on the European Union’s General Data Protection Regulation, which is set to take effect in May 2018.
If your company does business involving the personal data of EU residents through the offering of services and goods or otherwise, there's a good chance that your firm may need to be compliant with the European Union’s General Data Protection Regulation (GDPR).
The law will go into effect on May 25 and replaces the EU’s 1995 Data Protection Directive. It’s meant to give EU residents more control over their personal data, specifically in how it is collected, controlled, and processed. As a result, companies that control and/or process the personal information of EU residents for their own company’s purposes, or on behalf of another business, will be required to adhere to GDPR standards.
What counts as personal data?
Personal data includes a vast range of information including social security numbers, gender, location, ethnicity, online identifiers, and genetic or biometric markers, such as fingerprints and facial recognition.
What are data controllers?
Controllers are a company or organization that determines the purpose for and manner in which personal data is processed.
Controllers can also be processors.
What are data processors?
Data processors take the information controllers have accumulated and process the personal information.
What do companies need to do to be compliant?
- Have a legal basis for data collection and processing
- Be transparent about how the data is collected and used
- Provide prompt notification of security breaches
- Put data protection safeguards in place early in the development process and as the default setting in their products and services
It is recommended that companies conduct data discovery activities like data mapping and a gap analysis in order to get a true handle on the amount and nature of the personal data they control and process. A recent report from Forrester warned against approaching GDPR readiness from a fragmented framework that relies heavily on IT for specific compliance requirements – like focusing on data breach notifications, stating that such tactics are “short-sighted, and most likely will need radical revision after the enforcement of GDPR rules start in May.”
Failure to comply with the GDPR requirements could result in serious penalties, with the worst case scenario being a fine of €20 million or 4 percent of the company’s previous year’s total global revenue, whichever is greater.
For a more detailed look at the law and how organizations can ensure they’re compliant, check out GitLab’s GDPR page.
Cover image licensed under CC0 1.0