On the 25th of May of this year, the General Data Protection Regulation (GDPR) law will come into force. While many are hearing about GDPR for the first time, it has roots as far back as 1981. Named the “Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data” and held in France, the convention was the greatest data privacy rave held that season.
That’s right, the GDPR is a gift from France, like the Statue of Liberty, camembert cheese, and Daft Punk.
You don’t need me to tell you how that piece of legislation evolved into the “Data Protection Directive 95/46/ec”. That version of data protection applied to companies operating inside the EU that stored or processed personal data. Two years ago, the EU went a step further, approving the current version. The biggest change with the current version is that this latest version will protect EU members no matter where the company resides.
Companies and individuals have had two full years to ensure they are in compliance with GDPR. As stated on the main GDPR website, the legislation wants to reshape how we do data privacy:
“…to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”
The reason you are hearing a lot about the GDPR these days is not the looming deadline. No, the real reason has to do with the penalties you may face due to non-compliance. The penalties are as follows:
– Breaches of the lesser provisions: fines up to €10m or 2% of global annual turnover, whichever is greater.
– Breaches of the important provisions: fines of up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater.
That’s a lot of French fries. It’s also a lot of prison time, as you may also face criminal prosecution. The GDPR allows EU member-states the right to impose criminal penalties. If non-compliance with the GDPR runs you afoul of a member-state national law, you won’t be able to buy your way out.
The Original Workaround
For 20+ years, US companies worked around the regulations by not storing data inside the EU. The EU wasn’t happy about this practice, which is why we have the GDPR staring us in the face.
Your personal data is the most critical asset you own. For those not familiar with what qualifies as personal data, the GDPR defines it for us:
“Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”
I applaud the EU for taking steps to protect the rights of EU citizens to have control over their personal data. I wish the USA cared as much about our rights for data security and privacy as the EU does for their residents. It’s also worth noting that the UK is in favor of the GDPR despite not being in favor of the EU.
I’ve been meaning to write about this topic for some time. I’ve had a lot of questions, comments, and concerns about GDPR and this blog. I decided a blog post would be the best way to get these thoughts out of my head. I’m not a lawyer, so don’t take what I write here for advice. But I’ve seen a lot of bad information, scare tactics, and xenophobia in the past few months. I expect that we will see more as May approaches.
It is my hope that today’s post will help you understand more about the GDPR. I’m writing this post as the owner of this blog, and someone that will make every effort to comply.
What You Need to Understand About the GDPR
First, you must understand that consent is a fundamental GDPR requirement. You must ask your EU customers to give consent to the collection of their personal data. Also, you must ask for consent for every process run against their data. And every time you introduce any new process, you have to ask again.
Second, you must be clear in how, where, and when their personal data is in use. No funny language, or double-negative opt-in-or-out from mailing lists. Don’t take their emails and sell them, or switch to different mailing lists, or anything that a salesbag would do.
Third, the user has the “right to be forgotten”. If someone asks for removal of personal data, you must prove it to be complete.
What this all means is that the GDPR isn’t about sales, the exchanging of goods and services for money, or business in general. The GDPR is about the exchanging of data. And we exchange data in many different ways, here are some examples:
- While attending an event in the EU and an EU member gives you their business card, you are likely subject to GDPR.
- While delivering a session at an event in the EU, you invite people to read your blog. When an EU member leaves a comment on the referenced blog post, you are likely subject to GDPR.
- If you have “targeted marketing” material to EU users and customers, you are likely subject to GDPR. This includes the publication of scripts containing references to blog posts and pages.
- If you solicit diagnostic information from someone to help them troubleshoot an issue and it contains PII data from an EU member, you are likely subject to GDPR.
“This is not just important for firms that operate in Europe, but any firm that interacts with European citizens. Any company that holds data on EU citizens must comply.”
Thinking you can put your head in the sand and avoid GDPR compliance is a mistake.
What I’m Doing for GDPR Compliance
Keep in mind a few things here. As stated before, I Am Not A Lawyer. Second, this blog is a personal blog, nothing more. GDPR rules will still apply here. I want readers of this blog to know that I respect their data security and privacy rights.
During the holidays, I took the time to give this blog a facelift. I also took the time to update my blogger disclosure page. That’s the page that details my activities. It allows you to know who I am affiliated with, who pays me with money, who pays me with bacon, and who I like hanging out with. On that page, I make two things very clear about the data collected via this blog.
GDPR compliance may be hard, but nothing worthwhile is ever easy. To me, data security and privacy are worth the extra effort. Any person or company that mocks the GDPR sends a message they do not care about customer data privacy. If you don’t want to respect the rights of EU citizens, then you won’t respect the rights of anyone. I’m a believer in treating people the way you want to be treated. If I want people to respect my rights, I must respect theirs.
I see the GDPR as the first step towards something better. See, the GDPR is about the data. But what we need is a way to protect the people, and not only their data. The GDPR doesn’t tackle the issue of voice recognition, for example. And I don’t see the current GDPR keeping pace with advances in similar technologies. This does not mean the GDPR is a failure. I see it more as a way for everyone to understand the dangers in the collection of personal data.
When it comes to good data privacy practices you need to follow a few simple rules:
1. Only collect the data that you need.
2. Don’t misuse that data in any way. Don’t add people to a second mailing list, or sell their data.
3. Know where you store their data so that you can remove it when asked.
As a data professional, the best message you can put out there is that you care about data privacy for your customers, no matter where they call home. That’s the right message we want to send, everywhere, all the time.
The GDPR isn’t perfect and still evolving, but it’s a great first step. Use this as an opportunity to educate everyone about data privacy.