Blog

May 2018 marked the first month of the European Union’s new privacy policy regulation. This new regulation has businesses across the world updating their fine print and mass messaging their customers via email in an effort to be transparent.

Today, we look back at these updates and outline how to be GDPR compliant in 2024.

EU GDPR Regulations: The Updates

If you read the 2018 privacy policy updates, you will know that this new set of rules is called the General Data Protection Regulation (GDPR).

Although set and enforced by the European Union, all kinds of businesses across the globe are adapting to comply. Regardless of where your business is located, what is really being considered is where the consumer data is coming from. 

Why Has the EU Updated the GDPR Regulations Now?

This new regulation is a response to a growing concern about data privacy. Most people today are quite comfortable handing over personal information such as identification numbers and credit cards and trust that the businesses at the other end will respectfully handle their information. In reality, prior to the GDPR, there was very little regulation on what could actually happen to this data and who would be responsible if things got hacked.

The GDPR puts the responsibility back onto the businesses, which will hopefully encourage them to take consumer privacy and data security seriously.

Is it Enough?

Part of the GDPR is ensuring businesses are responsible when using your data to their benefit. However, the extent they are required to protect this data is not fully realized. Therefore, businesses with data worth protecting need to take proactive steps to ensure its security and not just how they are using it.

At Packetlabs, our security experts provide counsel on your organization’s weaknesses, vulnerabilities and work with you to solve cybersecurity problems before they become a crisis.

"Do I Need to Be Compliant With GDPR?"

The GDPR applies to any organization that processes the personal data of European residents, regardless of where that organization is based. Given the interconnected and international nature of the digital economy, that includes many—maybe even most—businesses today. Even organizations that don’t fall under the GDPR’s purview may adopt its requirements to strengthen data protections.

More specifically, the GDPR applies to all data controllersand data processors based in the European Economic Area (EEA). The EEA includes all 27 EU member states plus Iceland, Liechtenstein, and Norway.

A data controller is any organization, group, or person that collects personal data and determines how it is used. Think: an online retailer that stores customers’ email addresses to send order updates.

A data processor is any organization or group that conducts data processing activities. The GDPR broadly defines “processing” as any action performed on data: storing it, analyzing it, altering it, and so on. Processors include third parties that process personal data on a controller’s behalf, like a marketing firm that analyzes user data to help a business understand key customer demographics.

The GDPR also applies to controllers and processors that are located outside the EEA if they meet at least one of the following conditions:

• The company regularly offers goods and services to EEA residents, even if no money changes hands.

• The company regularly monitors the activity of EEA residents, such as by using tracking cookies.

• The company processes personal data on behalf of controllers in the EEA.

• The company has employees in the EEA.

There are a few more things worth noting about the GDPR’s scope. First, it is only concerned with the personal data of natural persons, also called data subjects in GDPR parlance. A natural person is a living human being. The GDPR does not protect the data of legal persons, like corporations, or the deceased.

Second, a person does not need to be an EU citizen to have GDPR protections. They merely need to be a formal resident of the EEA.

Finally, the GDPR applies to the processing of personal data for virtually any reason: commercial, academic, governmental, and otherwise. Businesses, hospitals, schools, and public authorities are all subject to the GDPR. The only processing operations exempt from the GDPR are national security and law enforcement activities and purely personal uses of data.

10 Steps to Ensure Adherence to Current EU GDPR Regulations in 2024

If you have data or communicate with any European citizens, you are subject to the GDPR.

“GDPR will change the privacy law landscape for any Canadian organization that deals with the personal information of European Union citizens.”

Here are some ideas on how to audit your compliance:

• Document your (how you collect customer information, how you record chat history, transaction information, how your process data, where you store it, and who has access to it.

• Update your Terms of Service, Privacy Policy, and any other related agreements.

• Audit and clean up outdated privacy data – only store data for a certain period of time.

• Do NOT keep any out-of-date personal data that belongs to your employees and customers.

• Secure your IT infrastructure and servers – again, make sure your IT department is following the best practices on their daily tasks. Working with a professional is the most accurate way to ensure your IT infrastructures are solid.

• Safeguard your digital platforms or cloud apps consistently.

• Train staff on how to manage private data properly, such as dealing with sensitive information, reacting to a data breach, managing requests to erase personal data, etc.

• Draft new employment contracts – update the GDPR-related policies on your contract for freelancers, contractors, suppliers, full-time, etc).

• Appoint a Data Protection Officer – If you have over 250 employees and customers, data is a big part of your day-to-day operations, you need a DPO.

• Consult with a legal firm or external IT security consulting company to ensure you have done everything above and beyond to protect your assets and consumer data.

Conclusion

The GDPR establishes the general obligations of data controllers and of those processing personal data on their behalf (processors). These include the obligation to implement appropriate security measures, according to the risk involved in the data processing operations they perform.

Are you confident in your website’s security and GDPR compliance? Contact us for a free consultation today!