In May 2018, the European Union transformed its legislative landscape for data privacy and protection when it introduced the General Data Protection Regulation (“GDPR”). The regulation harmonized existing EU data protection laws to adapt to the modern digital age. Since that time, many other countries, and certain states within the US have enacted stricter more comprehensive data privacy laws, often based on the tenants of the GDPR and carry significant penalties for non-compliance.
The most significant aspect of the GDPR is that it dramatically-increased the scope of personally identifiable information (“PII”) by including any information that can be used to directly or indirectly identify an individual. This broader definition captures information that can be used to identify a specific individual, including, identification numbers, IP addresses, social insurance numbers, location data, etc. It also imposes significant fines for non-compliance.
Organizations worldwide have had to put new privacy policies in place, assess whether their data privacy program complies with each new aspect of the GDPR. Implement or revise internal policies, externally facing privacy policies, cookie banners, perform data mapping studies, and set-up programs for data subjects to make various requests. This sparks serious new security and privacy challenges for businesses.