GDPR, the European Union’s new General Data Protection Regulation, hasn’t received a great deal of press in the U.S., presumably because it is a “Europe thing.” However, U.S. companies are in fact subject to GDPR if they handle personal information on individuals located in the EU, including website visitors.
This is a complicated and far-reaching regulation, and it would take an awfully long post to explain GDPR in full. The information here will help you understand how GDPR works and what, in general terms, is required for compliance. Organizations that are subject to GDPR have a good deal of legal study to undertake. As the regulation took effect on May 25, 2018, it’s time for organizations affected by GDPR to ramp up those efforts immediately, if they haven’t already.
How GDPR might affect your organization
GDPR seeks to protect individuals’ personal data. If your organization collects any personal data from EU residents, or processes any such data collected by others, GDPR specifies strict rules that include getting consent from the individual before data collection, deleting all personal data when an individual requests it, and reporting any data breaches within 72 hours.
Failure to comply can result in stiff fines of up to 20 million euros (more than $23 million) or 4% of global revenues, with the higher amount applying. U.S. companies can’t simply skip paying the fines; EU regulators can enforce them with actions in accordance with international law.
How GDPR defines “personal data”
Assuming your organization is a responsible custodian of people’s personal information as expected in the U.S., it is already fulfilling some of the spirit of GDPR – though compliance will require much broader efforts. It starts with accommodating the GDPR view of personal data vs. the U.S. view.
U.S. breach notification laws generally define “personal data” as a person’s name plus other formal, unique identification, such as driver’s license or social security number. GDPR defines personal data more broadly to include any data that could be used to identify an individual – and that includes such information as location data, IP addresses, cookie strings, and mobile device IDs, as well as informal identifiers such as age and marital status. In other words, pretty much any information that could be used to learn an identity is considered “personal data” under GDPR.
Specific responsibilities: Are you a controller or processor (or both)?
GDPR assigns responsibility to two types of entities: controllers and processors. Because of functional overlap, both can apply to a single organization.
“Processors” are organizations that handle electronic personal data in any way, from collecting to storing to distributing. “Controllers” make decisions regarding the use of personal data. For example, a retailer may collect personal data from its customers to enable it to market to those customers directly, based on their demonstrated preferences. It may also share that data with an acquiring bank for credit card payment collection. In this case, the retailer is the controller, and the acquiring bank is the processor.
Generally speaking, controllers have the greatest responsibility for GDPR compliance. This includes the primary role (among other requirements) of informing individuals as to why their data is collected, how it will be used and by whom, and how they can completely delete their data if they choose. Processors still have substantial responsibility, and ensuring that all is done accurately and compliantly requires transparency and coordination between the controller and processor.
Again, there is a good deal more to understanding for actual compliance if GDPR applies to your organization – and it does apply if you actively conduct any business with EU individuals that involves the collection of personal data, or process any personal information on behalf of companies that do.
EU courts will need to decide how egregious any U.S. company’s noncompliance really is, and unintentional noncompliance may very well be forgiven if it is infrequent and “unlikely to result in a risk to the rights and freedoms of natural persons.” But with potential exposure to such high-dollar penalties, it’s definitely better to be safe than sorry.
GDPR is a reminder to all businesses, whether you have customers in Europe or not, that privacy is a major concern. We have a responsibility to our customers to ensure the data they provide us is kept safe. Windstream Enterprise is dedicated to keeping our customers informed and will continue to monitor this subject closely.
Trent Pham is Head of Security Products for Windstream and is responsible for the organization's enterprise security service strategy, development, and life cycle management. He joined Windstream in 2016 and has 20 years of security product management experience with communication service providers, security service provider, and startups. Trent also taught information technology at the University of Denver's Information and Communications Technology Graduate Program. Trent received an MBA from the University of Denver's Daniels College of Business, a BS in Mechanical Engineering from the University of Colorado in Boulder, and holds a CISSP certification.
Browse our categories