Picture of Mark Zuckerberg

Facebook co-founder, chairman and CEO Mark Zuckerberg testified before the House Energy and Commerce Committee in Washington, D.C., earlier this month. He gave testimony to Senate committees after it was revealed Cambridge Analytica used Facebook data to influence U.S. voters. (Chip Somodevilla/Getty Images)

World | News

The GDPR protects personal data and 4 other things to know about the EU's new regulation

Penalties for non-compliance can be huge—up to 4 per cent of annual global turnover, or 20 million euros

A Facebook IconFacebook A Twitter IconTwitter A Linkedin IconLinkedin An Email IconEmail

The General Data Protection Regulation is an understated name for what will be a big deal for organizations worldwide. As of May 25, 2018, if you have any data on living residents of the European Union, be it electronic or on paper, regardless of where it sits, you’re subject to GDPR. And penalties for non-compliance can be huge: up to 4 per cent of annual global turnover, or 20 million euros.

Microsoft Corp. president Brad Smith put it best: “If you have customers in the EU, this matters to you,” he said. “If you have employees in the EU, this matters to you. If you’ve even heard of the EU, this matters to you!”

So put on your risk management hat and check out these five things that you need to know about GDPR.

1. GDPR protects personal data.That’s a broader scope than the personally identifiable information that Canadians are required to protect, encompassing anything that can be used to identify an individual. It could include the IP address or hardware (MAC) address of the computer an individual uses, or even a web cookie, if it can be tracked back to that individual. Pseudo-anonymized, encrypted, or de-identified data remains personal data if it can be used to re-identify an individual.

2. Data may only be collected for a specific purpose. Only the data necessary to fulfil that purpose may be collected and processed by automated or manual means. Processing covers a broad set of operations. The data can’t subsequently be used for other purposes incompatible with the original purpose. And terms of service in apps and software and on websites must be clear and understandable—no more dense legalese.

3. You must have appropriate technical and organizational safeguards to protect the data and control its use.

4. GDPR regulates the movement of data across national borders. Data may only move outside the EU, Norway, Liechtenstein, and Iceland (a.k.a. the European Economic Area) without further safeguards if the European Commission has deemed the destination’s privacy regulations have an adequate level of protection. So far, Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the United States (limited to the Privacy Shield framework) have adequacy. Binding corporate rules control internal data transfers within multinational organizations. There are, of course, special rules for law enforcement.

5. People have the right to receive a copy of the data a company holds on them, and the right to be forgotten—to have all of their personal data deleted (subject to legal requirements. For example, banks are required to retain customer details for a specified period).