By Michael Nadeau
June 30, 2017
Last April, the European Parliament adopted the General Data Protection Regulation (GDPR). It carries provisions that require businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. The GDPR also regulates the exportation of personal data outside the EU. Companies that do business in EU countries or process the personal data of EU citizens must be in compliance by May 25, 2018. (For more detail on what the GDPR means to U.S. businesses, see “General Data Protection Regulation (GDPR) requirements, deadlines and facts.”)
The provisions are consistent across all 28 EU member states, which means that companies have just one standard to meet within the EU. However, that standard is quite high and will require most companies to make a large investment to meet and to administer.
The GDPR contains 99 articles that define its requirements and rights granted to EU citizens, GDPR operations and structure, and penalties. The articles that will have the most significant impact on business are:
Article 5, processing and storing personal data: All personal data must be processed lawfully and transparently, and only for the purpose specified to the individual. That data may be stored “in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.” All personal data must be processed securely to protect against unlawful access, loss or damage “using appropriate technical or organizational measures.” Those measures are not defined, but presumably if the data is lost or stolen, a company could be considered not in compliance.
Articles 6, 7 and 8, consent: All processing of personal data must be done lawfully, by which is meant that each individual must give consent to use their personal data. The data collected must also be necessary to complete a task or transaction initiated by the individual, with the exception of public authorities.
Article 15, right to access: EU citizens have the right to know upon request what personal data a company is using and how it is being used.
Article 17, right to be forgotten and to data erasure: EU citizens can expect companies to stop processing and to delete their personal data upon request.
Article 20, right to data portability: EU citizens may transfer their personal data from company to company upon request.
Articles 25 and 32, data protection: Companies must be able to provide a “reasonable” level of data protection and privacy to EU citizens. It’s not clear what the GDPR governing body will consider reasonable.
Articles 33 and 34, reporting data breaches: Companies must report data breaches to supervisory authorities and individuals affected by a breach within 72 hours of when the breach was detected.