In April 2016, the European Union (EU) approved a new law called the General Data Protection Regulation (GDPR). This coming May 25th, however, is the start of enforcement, meaning that any out-of-compliance organization that does business in the EU could face large fines. Some companies are choosing to not conduct business in the EU as a result, including email services and online games.
The GDPR is applicable to any information classified as personal or that can be used to determine your identity, including your name, photo, email address, social media post, personal medical information, IP addresses, bank details and more.
There are many key changes in the new regulations (they were revised from a 1995 EU directive). Companies must now get the consent of their customers to collect and/or use their data, and must do so in an understandable way. It must also be easy for customers to revoke their consent. If there is a data breach, companies must notify their customers within 72 hours of the discovery of such a breach. Consumers now have the right to access and obtain a copy of all their personal data, and they must also be able to request their data be expunged from the company’s databases, called “the right to be forgotten.”
Customer data must also be portable, in that their personal data must be given back to them in a “commonly used and machine-readable format” so they can send that data to a different company. Overall, the new GDPR requires that when designing new systems, privacy must be built into the design from the start, and not added later.
SNIA has been tracking the requirements of the GDPR for a while now, and can provide a host of helpful content to introduce the GDPR and explain key elements that are relevant to storage ecosystems. The organization’s latest applicable document, Storage Security Data Protection Technical White Paper, was just released this past March and contains information on ISO/IEC 27040 (Storage security) and is also relevant to protecting your customer’s data.
There’s also a slide deck available that relates directly to the issue of Privacy vs Data Protection and the impact of the new legislation on companies who wish to be compliant. SNIA has another set of informational slides, as presented originally by Eric Hibbard, that help explain the difference between Data Protection and Privacy, as well, and how it relates to the new GDPR requirements. Even more specifically, SNIA members Thomas Rivera, Katie Dix Elsner and Eric Hibbard presented a webcast titled: “GDPR & The Role of the DPO (Data Protection Officer).”
In addition to these specific products, SNIA offers a wide range of white papers, tutorials, articles and other resources to help you make sure you and your company is ready for GDPR on May 25th.