In May of 2018, The European Union (EU) published privacy data protection rules called General Data Protection Regulation (GDPR). Their main drivers for this regulation was due to the lack of trust in the current privacy legislation and that businesses should benefit from a level playing field.
What is Personal Data
The EU defines personal data as any information. Specifically;
Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.
Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the law.
Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.
According to the EU, here are examples of personal data:
- a name and surname;
- a home address;
- an email address such as firstname.lastname@example.org;
- an identification card number;
- location data (for example the location data function on a mobile phone)*;
- an Internet Protocol (IP) address;
- a cookie ID*;
- the advertising identifier of your phone;
- data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.
One aspect of this regulations is that GDPR empowers EU individuals to request companies to provide access to all personal data held, to modify any incorrect information that they feel is inaccurate or incomplete, and more importantly delete all their PI data. The company must respond within 1 month of the request. This has huge enterprise implications if data governance policies are loose.
Impacts on US Companies
While GDPR only applies to individuals in the EU, global US companies still have major compliance and data impacts. As recent as January of 2019, Google was fine around $56.8 million for non-compliance with GDPR that was almost 9 months after the regulation was passed. Setting the state for individual privacy and data control, US and state lawmakers could take the regulation as a baseline that gives U.S. citizens the same level of data controls. January 29, 2018, California passed a digital privacy law very similar to GDPR.
Agape provide clients with data strategies as well as tactical plans to be in compliance with GDPR beyond what is outlined here. Contact Us for more details so we can help you ensure legal GDPR compliance.