European Collaborations: Understanding GDPR

You’ve likely heard of ‘GDPR’ and you’re aware it concerns new (as of May 2018) data protection regulations instituted in Europe.

What you may be less aware of is that it also applies to countries outside those forming part of the EU (European Union) if they’re handling data relating to people based in EU member countries.

You might only do business or liaise with people in the US, but maybe you collaborate with contractors based in the EU? If your tax accounting involves someone rendering services from an EU member state, then having their email or even their IP (Internet Provider) address somewhere means you need to comply with GDPR.

What is GDPR exactly?

Simply put it’s now the world’s most stringent data protection rules and replaces data protection regulations mostly dating back to the 1990s. GDPR alters how organizations can collect and use data and gives individuals more rights and control over information they choose to submit.

Organizations not adhering to GDPR regulations face heavy fines – some running into millions of dollars.

Data termed ‘personal’ and ‘sensitive’ is covered by GDPR and is defined as follows:

Personal data – basically information that can identify a person including name, address, email and even their IP address.

Sensitive data – information covering aspects of a person such as their gender, religious and political views, sexual orientation and race.

Even personal information submitted as a pseudonym is covered if a person could be identified by that pseudonym.

US organizations and GDPR

For US organizations and others outside the EU, any way you collect personal information from someone in the EU means compliance with GDPR is required. For example, even people in the EU visiting your website is enough; their IP address is classed as personal data.

The only way for a US organization to avoid having to comply with GDPR is in not collecting any personal data at all from people based in the EU, and blocking them from accessing a ‘service’ such as their website with a ‘visitors based in the EU denied access’ or similar message.

Complying with GDPR

Organizations have to adhere to the following:

Justify their need for personal data

  • Clear consent from the individual to collect their data
  • Data required to fulfill appropriate activities – for example a telephone provider would need their customer’s phone number to provide a service
  • Data is required to preserve life
  • Data is required to comply with another law

Before collecting data, the reasons for doing so need to be made clear with no subterfuge. Pre-completed checkboxes and legal disclaimers buried in lengthy privacy policy statements are no longer acceptable.

Give people control over data collected

  • Users need to be told why data is being collected, what is being done with it and how long it will be kept for
  • Upon request, any data held about individuals has to be provided for inspection
  • If requested, all data about an individual has to be deleted
  • If a user points out errors in data held about them, it has to be corrected
  • Users can prohibit their data being used for certain purposes such as marketing
  • Any data used for automated purposes such as machine reading is subject to several extra requirements

For the most part, the above user requests have to be met within one month.

Keep data secure

GDPR demands that data is kept secure but doesn’t specifically explain how to achieve it – this information is a useful resource.

Security methods require regular testing and ongoing monitoring for security breaches is required; should any be found, they have to be reported within 72 hours to regulators and recorded.

Institute accurate record keeping

Compliance has to be documented so:

  • Written records concerning purposes of data collection, retention and security policies and more
  • Anyone external involved with processing an organization’s data has to have a written contract concerning their responsibilities in maintaining data security

Organizations with less than 250 may find some of the above requirements a little more ‘relaxed’. By contrast, those with over 250 employees – or those working with very sensitive data – are required to undertake regular data protection audits and have a named data protection officer.