The General Data Protection Regulation is a far-reaching set of rules passed by the European Union that will protect the data of EU consumers and impose stiff fines on companies that do not comply. It will be enforceable on May 25, 2018.
Here are five key points to know about GDPR.
If I’m based in the United States, do I need to worry about this?
The short answer is yes, because GDPR will apply to any companies that do business with EU citizens, even if the businesses are located outside Europe. For example, Facebook will need to comply, since many of their customers are located in EU member states. Since most companies do business over the web, it will likely be easier for US companies to become GDPR-compliant for all of their customers rather than just those from the EU.
What types of private data are protected by GDPR?
The EU states that personal data includes “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information or a computer’s IP address.”
What does GDPR entail?
The regulation provides certain rights to EU consumers whose data is used by businesses. These include:
- Consent. Requests for consent must be given in an clear and easily accessible form, without long illegible terms and conditions full of legalese. It must be just as easy to withdraw consent as it is to give it.
- Right to access. Consumers will be given the right to obtain confirmation about whether or not personal data concerning them is being processed, where and for what purpose. The controller will also provide a copy of the personal data, free of charge, in electronic format.
- Right to erasure. Also known as the right to be forgotten, consumers will be able to request to have their personal data erased.
- Data portability. Consumers will have the right to transfer their personal data from one electronic processing system to another.
In the case of a data breach, the regulation requires businesses to notify representatives of EU countries within 72 hours of any data breach, and to provide details about which EU citizens were affected.
The regulation also calls for privacy by design and default, meaning that data protection will be a priority from the onset of designing systems. Controllers will be required to hold and process only the data that is absolutely necessary, and limit access of personal data to others.
In addition, GDPR requires the appointment of Data Protection Officers for public authorities, organizations that engage in large-scale monitoring or organizations that engage in large-scale processing of sensitive personal data. DPOs will have oversight over data privacy and will report to representatives of EU countries in the event of a data breach.
What happens if I don’t comply?
Organizations can be fined as much as 4% of their global annual turnover, or €20M, whichever is greater.
What does this have to do with my company’s Excel files?
At the very least, any private information that is stored on your Excel spreadsheets will need to be fully secure, easily traceable and with the ability to limit the amount of data that others can access at any time.
DataRails, the Excel management platform backed by Microsoft, can help you with all of these, as well as provide instant insights on your data without changing the way you currently work in Excel.