By SEMA Washington, D.C., Staff
SEMA-member companies doing business in the European Union will need to comply with the General Data Protection Regulation (GDPR), which is a new privacy and security regulation that requires businesses to adopt procedures for processing personal data of European Union citizens. The new law is set to take effect May 25.
In essence, the GDPR regulations require that any company that collects or processes personal data about EU citizens within EU states carefully protect that data, conditions for use have also been made more stringent. For practical purposes, many companies that do any business with European Union citizens will be affected, whether they are primarily located in Europe or not.
Fines for non-compliance are based on a percentage of the business done, and especially for larger companies, could be substantial. Among other things, companies may be fined for failing to keep their records secure and up to date, or for failing to promptly notify all involved in case of a data breach.
Consent is not the only lawful basis, and many companies may find they can rely on processing a contract and/or legitimate basis. Explicit “opt-in” consent is required for processing sensitive personal data; however, for non-sensitive data, “unambiguous” consent—offered in easily understood language—may be sufficient. In any case, requests for consent must be made using clear and plain language, and the choice to opt out must be obvious and easy to exercise.
For purposes of GDPR, “personal data” is broadly defined. Personal data could be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, cookie data, a computer IP address, etc.
Step one for most companies will be to assess whether you are covered by the GDPR. If, after analyzing your specific situation, you determine that your company is required to comply, you should assess the personal data currently stored for European Union residents. This would include basic identity data—name, address and web data such as IP address, cookie data, etc.—plus any data pertaining to health, genetic information, racial and ethnic data, political opinions and sexual orientation.
Once you have a sense of what data is affected, consider what changes may need to be made in existing data security processes and protocols. A useful starting point would be the EUGDPR.org website, which defines the regulation in detail and offers resources and compliance partners.
SEMA is closely following the implementation of the GDPR and will supply more information as guidance becomes available.