Seven Things You Need to Know about the EU General Data Protection Regulation (GDPR)
The recent European Union data privacy reforms General Data Protection Regulation (GDPR) is a pretty big deal for both EU–based companies as well as non-EU companies around the world doing business with EU citizens or residents. The regulation focuses on protecting the personally identifiable information (PII). The GDPR replaces member countries’ separate and inconsistent data protection rules that have been in place across the EU. Now there will be one data privacy standard throughout the EU, managed by one regulatory body, the EU Data Protection Board.
Every organization doing business in the EU or with EU citizens must meet the GDPR regulations by mid-2018. That may sound far off, but my company is already working with both US and EU-based companies preparing to adapt and enhance their data protections ahead of the 2018 deadline. Organizations do not want to be caught short since the GDPR compliance violation fines can have a material impact on a company’s bottom line. More on that in a bit.
The gist of the GDPR privacy regulation is that it gives each EU resident control over his or her personal data. With permission, an organization can use the data, but individuals essentially own their personal data and can withdraw the right of an organization to use that data. An EU resident can monitor the use of their data, decide who can access it, and can demand its return to them. The net effect is that companies must audit and control each of these processes. For medium to large firms with thousands of customers, vendors and partners, the challenge is significant.
Here are 7 key provisions of the GDPR that we should all be aware of:
- It’s Global. I’ve already mentioned this, but the GDPR is essentially a world-wide regulation. It covers any company doing business with any EU resident even if the company is headquartered in Timbuktu. Think about it, any app or website can fall under the GDPR purview.
- Material Financial Penalties. Fines for violating GDPR rules will be material. Companies should no longer operate under the assumption that they will get a slap on the wrist as maximum GDPR fines can be up to 4% of world-wide revenue (or turnover) or €20 million whichever is higher.
- Includes all Organizations that Access Personal Data – Not Just the Collector. The GDPR applies to any organization that touches PII. That includes not only the company that collects the data, but also the company’s service partners and suppliers who may, in the course of business, have temporary or ongoing access to GDPR covered data.
- Mandatory Requirement for a Data Protection Officer. A company with more than 250 employees must have an individual data protection officer to monitor and manage the internal processes of GDPR compliance.
- Data Breach Reporting. If a breach of PII occurs, the data protection officer is required to notify the EU Data Protection Board within 72 hours. If there is any negative impact to the person’s data, they must be notified as well. This is tricky because breach monitoring and identification is still not widely implemented. But then again, companies have a little time to prepare.
- Consent Requirement. Consent needs to be obtained from the EU resident on the use of their personal data. This includes the explicit statement of the type of data collected and the purposes of the collection. Essentially this is an “opt-in” process.
- Data Transferability and Portability. The GDPR has very specific regulations about the right of residents to be able to transfer or “port” their data without penalty or delay to other processors. In addition, if companies are planning on transferring data outside of the EU very specific requirements apply. This is going to be of particular importance to cloud vendors and companies who deliver services or applications via the cloud.
It’s not too early to start your GDPR planning if you are doing business with EU citizens or organizations. The regulation is complex and broad. Companies need to identify what information they collect and store that is, in fact, GDPR covered PII, determine where it is stored, who accesses it and if it is protected. For most large international organizations, this is no small undertaking.