Businesses brace for EU privacy reform

April 16, 2018
Justin Hall
Director, Security Services

The impending enforcement of the European Union’s General Data Protection Regulation (GDPR) will lead to challenges for nearly any business that operates on the internet. The sweeping privacy reforms demand a new standard in handling personal information.

There’s a good chance it leads to improved protection of personal information for everybody – simply because the technical requirements to only implement the regulations for EU citizens may outweigh just developing the capability for all of a company’s customers or users. 

What should I know about the GDPR?

If you’re unfamiliar with the GDPR, I suggest spending a few minutes watching this excellent primer from Habitu8. In short: 

  • The GDPR redefines personal information broadly, including any data that can uniquely identify an individual or the computer they’re using 
  • If you collect, store, or “process” this kind of information about EU citizens, you’ll be required to outline the ways you do so, and obtain the explicit consent for these actions from your EU users. 
  • If you pass this information to another organization – say, someone who processes it for you – you must obtain consent from EU users, as well as develop an agreement with the other organization outlining exactly how the data must be stored, used, and destroyed. 
  • EU users have the right to request a copy of the personal data you have on file for them, and it must be provided in a format that’s portable. EU users can also request that you stop using their data and destroy your copy. 
  • Most organizations operating in the EU will need to appoint a Data Protection Officer (DPO). This individual will oversee the handling of personal data in the organization, ensure compliance with the GDPR, and field any complaints or issues that arise from EU users. 
  • If you experience a data breach, you have 72 hours from the time of discovery to report it to the supervisory authority. 

The GDPR takes a firm stance on privacy by default – you must obtain consent for any collection, storage, or use of a user’s personal data – instead of assuming you can use it in any manner you like without asking. 

How do I know if the GDPR affects my business?

Perhaps you’re a small business that doesn’t operate in the EU. Why bother with the GDPR at all? Well: 

Do you operate on the internet? Allow users to sign up for an account? Unless you’re explicitly restricting access from certain geographic locations, if an EU user creates an account with you, you’re required to abide by these regulations as it pertains to their personal information – including name, address, username, email address, and yes, even the IP address you log for their session with your servers, or the cookie you issue to their web browser. 

If you don’t do business in the EU now, but you plan on expanding across the Atlantic in the future, this will end up impacting you, and you may be asked to build the processes required before you start work in that locale. It might be better to start considering implementation sooner rather than later. 

Finally, you might start seeing pressure from third parties to conform to these kinds of regulations even if the third party isn’t in the EU. Companies and consumers are all looking for ways to better protect their personal information and you might be asked to start providing similar protection or risk losing some business. 

Where can I learn more about the GDPR?

The European Data Protection Supervisor’s website has some great practical resources for starting down the path of implementation. Their legal notice on handling of personal data could be useful to duplicate for your own website, for example. They also publish the details of their own DPO’s roles and responsibilities which may act as a guide for the creation of the role inside your organization. 

If your hands are a little more damp now than when you started reading this post, that’s understandable! Let us know if we can be of assistance in navigating your GDPR challenges.

Subscribe to our blog