As you may or may not know, the General Data Protection Regulation (GDPR) comes into effect May 25, 2018. This is a new EU Regulation put in place to protect the rights of EU citizens and their personal data, one that has the potential to impact any company that conducts business online.
As the CTO at Checkfront, I want to take the time to help you understand the new regulation and explain some of the measures Checkfront is taking to protect your data.
That being said, this information should not be considered legal counsel, and it is your responsibility to ensure your company is compliant.
What is the GDPR?
The GDPR replaces the 1995 EU Data Protection Directive which has governed the use of personal data for the past decade. The GDPR grants data subjects (the individuals providing data) more control over their data with new rights— and with tighter obligations for data processors and data controllers (the companies collecting and processing that data).
The main goal of the GDPR is to protect individuals’ data online by holding companies that collect and process data to a higher standard of security.
The reason the GDPR is getting so much attention is due to the scope of what is considered personal data and the strict penalties for companies found in non-compliance.
Under the GDPR, personal data is any identifying information from an IP address, to a name, photograph or medical records. You can see the full list of personal data here.
What are the rights of the individual?
GDPR expands upon the rights of the individual outlined in the EU Data Protection Directive and presents two new ones. These are the rights of the individual under the GDPR:
At the time of data transfer, the controller must get consent from the individual to collect and store their data. The organization must explain how they intend to use that data in plain legal language.
Consent must be:
- freely given
Additionally, controllers must be able to show proof of consent, and that consent was acquired in a way compliant with these standards.
New: The right to be forgotten
This means that a subject can demand a company to delete their personal data.
New: The right to data portability
This means a subject can demand an organization share a copy of their data with them.
Under the GDPR companies cannot charge individuals for access to their data unless the company can prove that the costs to acquire the data will be excessive. And they must grant access to the data within 30 days of the request.
What are the penalties?
Fines for violations of the GDPR are tiered. For severe infringements, companies could face fines up to €20 million, or 4% of the worldwide annual revenue of the prior fiscal year, whichever is higher. Lower level infringements are subject up to €10 million, or 2% of the worldwide annual revenue of the prior fiscal year, whichever is higher.
In the case of a data breach, controllers must report it within 72 hours or face higher penalties. You can see the breakdown of the penalties on the GDPR website.
Who does the GDPR apply to?
The reason I say the GDPR could potentially affect any organization that conducts business online is that the regulation not only applies to companies in the EU, but any business that collects, monitors, or stores personal data of EU citizens.
Because of this, it is crucial that businesses in the tourism industry, whose customers reach every corner of the globe, pay close attention to the regulation and ensure compliance.
Checkfront and the GDPR
To be compliant businesses must adopt Privacy by Design concepts— meaning data privacy can no longer be an afterthought. These are the steps Checkfront is proactively taking to protect our customer’s data and to assist you in GDPR compliance.
We’ve implemented the highest possible software security to prevent a data breach of any manner. Additionally, we are providing GDPR training and education to all staff, so that we can design our products and conduct business with a privacy-first approach.
We have a dedicated support channel for all things related to the GDPR. If you have any questions, concerns, or comments about the upcoming GDPR and your relationship with Checkfront, contact us at firstname.lastname@example.org
You can read more about Checkfront and the GDPR here.
What should you do next?
- Accept Checkfront’s new Terms of Service – once our terms are updated you will need to accept them in order to continue use of the platform.
- Further educate yourself on the regulation and potentially seek legal counsel to ensure you are GDPR ready by May 25, 2018.
- If you are an Enterprise client, please reach out to your Account Manager about our revised Master Services Agreement and Data Processing Addendum.