On May 25, 2018, the European Union saw its new GDPR law, or general data protection regulation law, go into effect across all member nations. This enactment arrived with much fanfare and even some controversy across the EU, particularly in the business and technology industries. Its impact on private citizens of the EU cannot be overstated, either. Laws laying out standards for protecting private information continue to grow in number. These laws are leading to consequences for those entities that don’t achieve and maintain compliance with those standards.
Below we’re going to take a look at the GDPR law in the EU as we approach the one-year anniversary and how it influences the global community.
How Did GDPR Come to be in the European Union?
Data protection was an issue that became more prevalent in Europe and around the world as the Internet became not just a medium, but a way of life. Many felt that it was time to update the legal standards around how companies safeguard people’s data. The previous act in Europe, the 1995 Data Protection Directive, was badly outdated as it went into effect when the Internet was barely a known commodity among the world. Social media did not exist in 1995, and the concept of sharing information online was not a big concern.
In addition, this 1995 act was technically not a regulation, but rather a directive, which carries less weight legally in the EU. Under this directive, each member country could decide how to deal with the data protection issue individually and no uniform standards or remedies were in place. GDPR was introduced to address those concerns and was adopted in 2016 but did not go fully into effect until May of 2018. Given that it’s a regulation instead of a directive, it also provides a more unified set of procedures, requirements, compliance standards and remedies for violations that carry the weight of any law.
What Is General Data Protection Regulation?
General data protection regulation, or GDPR, is designed to provide individuals with more control over their personal data. It’s important to consider the definition of “personal data” under which the GDPR operates. According to the GDPR:
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
This expands the scope of data that must be protected mostly because of the inclusion of terms such as “location data,” which is used commonly by social media networks. Additionally, it brings in implications to entities engaged in analytics for the purpose of marketing or many other business-driven pursuits.
In essence, the GDPR requires companies that collect data to carefully protect that data according to basic protocols. If or when any breach of personal data occurs, the company that was controlling that data is required to report this breach to the authorities within 72 hours of discovery. This reporting requirement ultimately allows individuals to find out whether their data may have been compromised.
Who Does GDPR Affect?
Even though GDPR was passed in the European Union, its scope and reach extend worldwide. That’s because when any entity uses, stores, shares or in any way processes data related to EU citizens, the GDPR has jurisdiction. This is true even if a company has no physical presence in Europe.
There are some exceptions to this jurisdictional standard, such as if a company employs fewer than 250 people – but even that exception comes with several of its own exceptions and creates a very narrow niche in which companies can avoid GDPR oversight.
How Does the GDPR Affect Everyday Business Practices?
What this law means for companies around the world dealing with personal data is that they now have to request permission to use data belonging to those whose information is being stored, processed, shared, etc. An individual can also demand that an organization:
- Delete their personal data
- Request information on how their personal data is being used
- Request copies of their personal data
This is the focal point of the GDPR for individuals in Europe. They can now take control of their data and companies that do not follow these standards can face consequences for said failures.
What Happens if an Organization Does Not Adhere to GDPR?
Another stark change between the previous directive and the new regulation is that the GDPR provides serious accountability for organizations that violate its terms. Specifically, those who are found to have failed to comply with the regulation can face a fine of up to 4 percent of their previous year’s revenue.
It should be noted that this 4 percent is calculated against the organization’s worldwide revenue, and not just the revenue generated in the EU. If that number is below €20 million, an organization can face a fine up to that amount, depending on which figure is larger.
Will a GDPR-Type Law Arise in the United States?
As of now, American companies that handle any personal data from citizens of the EU need to comply with the GDPR. However, this does not apply to American citizens. Currently, there is no national, uniform law in place that deals with handling private individual data.
However, consumer interest groups and other advocates have been pushing the American legislature to look closely at this issue, and it’s highly likely that something could be enacted within a matter of years. These days, private data breaches are dealt with at the civil lawsuit level – absent overt criminal activity on the part of the organization, which is subject to the jurisdiction of the Department of Justice.
GDPR and Remote Desktop Connections
Ultimately, laws such as the GDPR affect organizations that use remote connections to connect to devices with customers’ personal data. This series of blog posts is an in-depth analysis of remote desktop connections and how to keep your business compliant with GDPR:
- Remote Access and GDPR: A Compliance Odyssey
- Remote Access and GDPR Part 2: Pseudonymization and Encryption
- Remote Access and GDPR Part 3: The Impact of Requiring Consent
- Remote Access and GDPR Part 4: Data Minimization
- Remote Access and GDPR Part 5: The Right-to-be-Forgotten
These analyses were written before the GDPR went into effect. If you have questions about Netop’s commitment to full compliance with this law, feel free to contact us at any time or read our GDPR policy.
You can find out how Netop Remote Control can keep your business compliant with GDPR by downloading the GDPR Compliance Checklist or our comprehensive ebook, The Essential Guide to GDPR Compliant Remote Access.
We will continue to monitor regulations such as this one worldwide, and at the one-year anniversary of the GDPR we remain an industry leader in providing secure remote connections that can have you and your organization resting easy that potential challenges are being addressed ahead of time.