If you’re storing data related to EU persons in your databases, an upcoming legal regulation may change how you should handle such data moving forward.
What is the General Data Protection Regulation (GDPR)?
The European Parliament, the Council of the European Union, and the European Commission combined forces in April 2016 to protect the data of EU residents. Details can be found on the EU GDPR website.
This law extends to international companies who handle EU individuals’ data. Protected information includes names, physical addresses, email addresses, bank information, photos, medical data, computer IP addresses, and even social media posts. As of May 25, 2018, the binding regulation will be enforced, and your company could face legal liability for failing to comply.*
When You Can Use Personal Data
You are only allowed to process these types of data if you have a lawful basis, for example:
- The resident has given explicit consent.
- You must collect and/or process the data to fulfill a contractual obligation.
- You have a legal obligation to do so within your business.
- Protecting vital interests of the resident requires management of the data.
- It is in the public interest to handle the data.
- The data is critical to legitimate interests of a third party.
How It Could Affect You
If you work with this data, whether you store it, manage it, or just process it for others, you’re responsible for complying with the new GDPR rules.
If you work with this data, whether you store it, manage it, or just process it for others, you’re responsible for complying with the new GDPR rules.
You may need to adjust how you handle data access, deletion, and data transfers, and add more protection against data breaches. For example, instead of storing original data, you could replace each record with a pseudonym, keeping the key protected elsewhere, of course. You are accountable for documenting and adhering to these practices, as well as proving them to officials, if necessary.
Data Breach Ramifications
If you have the misfortune of experiencing a data breach that exposes EU resident data, you must report the breach within 72 hours of becoming aware of it to a supervisory authority. If the breach makes EU residents vulnerable, you must notify them of the breach as well.
Failure to Comply
If you do not follow the requirements listed by the GDPR, you could face sanctions, including fines and costly audits.
Steps to Take Before May, 25, 2018
Check out the details of the regulation on the official GDPR website. Think through whether this applies to you; you may want to consult with a legal expert.
If you determine you should make adjustments to your system, let us know! We’ll be happy to help.
*We are not legal professionals. Please consult a legal expert to determine the GDPR’s exact ramifications for your business and practices. If you’re handling data for law enforcement or national security purposes, you may not need to follow these regulations, but we still recommend talking with a legal professional before May 25th.