As the global focus on data security continues to intensify, the European Union is in the process of implementing broad-ranging data security and privacy measures that will impact any business doing work overseas, or companies handling EU resident information.
Get Instant Access to This Article
Subscribe to Hartford Business Journal and get immediate access to all of our subscriber-only content and much more.
- Critical Hartford and Connecticut business news updated daily.
- Immediate access to all subscriber-only content on our website.
- Bi-weekly print or digital editions of our award-winning publication.
- Special bonus issues like the Hartford Book of Lists.
- Exclusive ticket prize draws for our in-person events.
Click here to purchase a paywall bypass link for this article.
As the global focus on data security continues to intensify, the European Union is in the process of implementing broad-ranging data security and privacy measures that will impact any business doing work overseas, or companies handling EU resident information.
This new regulation is formally known as Regulation (EU) 2016/679 of the European Parliament and the Council, but more often termed the General Data Protection Regulation (GDPR), which took effect at the end of May.
The primary purpose of GDPR is to define standardized data protection laws for all EU residents for all member countries. Its objectives are as follows:
• To increase privacy and extend data rights for EU residents.
• To help EU residents understand personal data use.
• To give regulatory authorities greater powers to take action against organizations that breach the new data protection regulations.
• To address the export of personal data outside of the EU.
• To require every new business process that uses EU personal data to abide by the GDPR data protection regulations and Privacy by Design rule.
The last two items, in particular, show that any company or organization holding EU resident information and/or doing business in or with any of the 28 EU member states need to be prepared for the new data privacy standards.
The GDPR rules apply to sensitive data, which uniquely identifies a specific individual. This includes categories such as email, genetic information, IP address, and biometric data — along with driver's licenses and other types of personal information. As such, under GDPR, the definition of personal data has been both broadened and simplified to “any information relating to an identified or identifiable person.”
Even though you are a business in the United States, and not in Europe, strong penalties exist for companies doing business with EU nations that are not in compliance. Although precedent for non-compliance has yet to be set, it is likely coming very soon. And rather than be at risk for non-compliance penalties, adherence to this new set of regulations is essential.
Here are some of the key attributes of GDPR that businesses and organizations should understand.
One set of rules: A single set of data protection rules will apply to all EU member states. GDPR will apply to all companies that process personal data of EU residents, regardless of their location.
Right to be forgotten: This is also known as Right to Erasure. EU residents will have the right to request that personal data relating to them is erased. This is an enormous change from previous regulations.
Right to access: Data subjects can obtain confirmation from the data controller whether or not personal data concerning them has been processed, regardless of where it has been processed, or for what purpose.
Mandatory notifications: Data breach notifications will become mandatory in all EU member states, if the data breach is likely to “result in risk pertaining to the rights and freedoms of individuals.” GDPR identifies notification without delay and where feasible within 72 hours.
New consent rules: Consent rules are changing, and opt-in requirements for obtaining personal data are much stricter.
Privacy by design: GDPR calls for the inclusion of data protection from the onset of the designing of systems, instead of just being added at a later date.
Data protection impact assessments: Data controllers and data processors will be required to conduct data protection risk impact assessments for projects that have high privacy risks.
Notifications no longer mandatory: Under GDPR, it will no longer be necessary for data controllers to submit notifications/registrations of data processing activities to local data protection officers.
Jeffrey I. Ziplow is a partner with West Hartford-based accounting firm BlumShapiro.
