Have you been getting a lot of email notices for updated privacy policies? Well, it’s not a coincidence. Many companies are updating or clarifying their online privacy policies to be compliant with the new European Union (EU) General Data Protection Regulation (GDPR) which will technically take effect on May 25, 2018.
What is the GDPR?
GDPR was designed to harmonize data privacy laws across Europe, protect EU citizens’ data privacy, and to regulate the way organizations approach data privacy. There are a total of 99 articles that the regulation covers and you can read more about the details of this regulation through the EU GDPR Portal.
In essence, these are a series of regulations that control what information a company can collect about an individual (who reside in the EU), what they can do and how they store that information, and penalties for those companies if they violate the regulations.
Who is affected by GDPR?
From a user perspective, the protections cover any resident of the EU. Although, many companies are voluntarily extending their changes and privacy policies to include all users for simplicity.
From a company perspective, it applies to any organization who collects data on EU residents.
What should you know about GDPR, encryption, and your PDF files?
There are many more thorough sources of information on this topic (just Google ‘GDPR’), but one thing that may concern our Win2PDF customers is that the regulation restricts sending personal information unsecured. Encryption isn’t explicitly mandated by the regulations, but it is suggested several times as being part of the the compliance solution. For example, as this article points out:
…of the 261 pages of GDPR, the word ‘Encryption‘ appears just 4 times;
“…implement measures to mitigate those risks, such as encryption.” (P51. (83))
“…appropriate safeguards, which may include encryption” (P121 (4.e))
“…including inter alias as appropriate: (a) the pseudonymisation and encryption of personal data.” (P160 (1a))
“…unintelligible to any person who is not authorised to access it, such as encryption” (P163 (3a))
Does the term ‘may’, ‘such as’ and ‘as appropriate’ indicate that Encryption is mandated by GDRP, as some are suggesting? I don’t believe it does.
Do these terms suggest that Encryption is an OPTION and a good idea? Then yes, it does.
If you are sending a customer’s personal information in a PDF file, you should seriously consider encrypting the PDF.
What can you do to being compliant with GDPR?
First, here is a 12-point PDF available that gives a broad 12-step overview to achieving compliance with the GDPR.
Second, you may wish to review your current processes involving customer data that may be included in PDF files that you generate. How are they disseminated? Is the data secured? If you do not currently encrypt PDF files, now may be a good time to do so.