Are You Still Asking – What is GDPR?
Questions about GDPR compliance are popping up everywhere. Does GDPR apply to me or my business? If GDPR is an EU regulation, how can it affect my company based in the US? How do I know if we are GDPR compliant?
GDPR Has A Global Reach
Now you might want to go back and ask what is GDPR? It is an EU privacy regulation known as the General Data Protection Regulation. EU privacy and human rights laws have been around since 1995. The current GDPR was adopted in early 2016 and enforcement goes into effect on May 25th, 2018.
Thinking about personal data security, almost any online interaction involves some type of personal data. In terms of the GDPR, personal data of an EU citizen includes but is not limited to; name, address or location data, gender, physical or economic information, IP address, along with a variety of other identifiers.
The goal is to provide individuals with a higher degree of privacy protection and treat personal data protection as a right. That said, GDPR compliance applies to any business or entity that comes into contact with personal data of any EU citizen regardless of where you are located.
For example, here at ExaVault, we have done our due diligence to be EU GDPR compliant. ExaVault is a file sharing and FTP service provider with clients worldwide. Even though ExaVault is a US-based company, files shared through our service may contain personal data of EU citizens. And as a company that values security and privacy, we want all our clients to know we are taking the necessary steps to comply with the GDPR regulation. Privacy by design and data security regulations are the way of the future for all businesses.
Key Points of Being GDPR Compliant
Personal data is owned by the individual. While a company may be given access to personal data they are not given ownership. That personal data needs to be protected as well as only used in authorized ways that are clearly stated and approved by the owner. GDPR gives EU citizens the right to know what personal data you have of theirs, what data is being processed, and for what purpose. GDPR compliance is about getting consent to access any personal data and clearly stating the purpose for which it will be used.
Whether you are the data controller or data processor, it is everyone’s responsibility to deal with personal data in an ethical manner. Security measures, technical safeguards, and training are essential to ensure data security.
Documentation is key. Under GDPR regulation, consent is key, and you must be able to show how and when consent was granted for access to any personal data of an EU citizen. If for any reason that data owner requests to be forgotten or have their information removed, they have that right. This is the “right to be forgotten” and is part of GDPR. Proof of this request and compliance also needs to be documented.
GDPR Sounds Complicated
Yes, it does. And there’s no getting away from it. ExaVault has embraced this general data protection regulation along with the data processors we associate with. All businesses and individuals should consider how they want their personal data handled. Data privacy and security are not a new thing. Changes are inevitable as we become a more global society. If we look at the EU GDPR as a good thing, we can all move forward successfully and evolve our online interactions so that privacy by design is the standard and individuals’ rights are protected for everyone around the world.