Privacy is a critical right, and customers are correct to demand that their data be protected. At Mixmax, we’re excited about a new data privacy law, the General Data Protection Regulation (GDPR), which goes into effect in May 2018 in the European Union (EU). This law, established by the EU Parliament, gives EU citizens and residents more control over their personal data. Companies — in Europe and all over the world — are working quickly to ensure that they take the proper precautions for keeping customer data private. Here’s a brief overview of the GDPR and what it means for your business.
Please note that this article doesn’t constitute legal advice. If you’re preparing to be compliant with these new regulations, be sure to consult your legal team.
What is personal data?
The GDPR defines personal data as any information that can be used to directly or indirectly identify a person, such as a name, photograph, email address, or even an IP address.
How does the GDPR protect personal data?
The GDPR establishes a common vocabulary to talk about data privacy and protects it in six ways.
The data subject is the individual whose personal data is being protected by the GDPR. For example, when you create an online account, you are the data subject. The organization with which you create the online account is the data controller — the person or agency who determines the purposes and means of processing your personal data. Your personal data may also be handled by a data processor — a person or agency who processes personal data on behalf of the controller.
Under the GDPR, personal data is protected in six key ways:
- Breach notification – Data processors are required to notify customers, without undue delay, after they become aware of a data breach.
- Right to access – Data subjects have the right to get confirmation about whether their personal data is being processed, where it is processed, and for what purpose. They also have the right to get a copy of the personal data.
- Right to be forgotten – Data subjects can ask the data controller to stop processing and erase their personal data.
- Data portability – Data subjects can receive their personal data, and have the right to transmit that data to another data controller.
- Privacy by design – Data privacy can’t be an afterthought — data protection must be considered from the beginning, when systems are designed. Data controllers can only hold and process the data that is absolutely necessary, and must limit access to personal data to those who need to actually process the data.
- Data protection officers – If a data controller conducts activities that require regular monitoring of data subjects on a large scale, they need to appoint a Data Protection Officer who has expertise in data protection laws and practices.
What happens if organizations don’t comply?
Under the new law, if an organization doesn’t protect their EU customers’ personal data, the penalty is severe: they could be fined 4% of global revenue, or 20 million Euros ($24 million USD), whichever is greater. And they could be prevented from working with customer data until they bring their operation into compliance.
What if I’m not in Europe?
The GDPR protects the rights of EU citizens and residents. But even if you’re not in Europe, you’ll feel the effects. As a customer, many of the online products and services you use also serve European customers, so those products and services must be made GDPR-compliant. In your work life, your organization may have EU customers, so your own products and services will need to comply. Or, your organization may have customers who have customers in the EU — in which case you’re a data processor for a company with EU customers.
How has Mixmax prepared for the GDPR?