In just about seven months, on May 25, 2018 to be exact, it’s going to get real in the EU. The General Data Protection Regulation (GDPR) will replace the existing Data Protection Directive when it comes to regulating how companies protect the personal data of EU citizens.
The purpose of this law, and its strict penalties, is to create a more consistent protection of data across the EU nations. It will create a baseline, if you will, of standards for companies to better safeguard the processing of personal data, and frees the member states from having to draft their own compliance laws, risking inconsistencies across borders.
GDPR is not only for companies physically located in the EU Nations, but for all businesses and organizations that market goods or services to EU residents, regardless of where they are located. Hence why there is such a global interest in this new law taking effect next year.
While the law itself is lengthy reading, some of the key points include:
- Clear consent for data processing must be obtained from subjects
- The right to be forgotten – Article 17 – entitling data subject to have personal data erased, among other things
- Right to data portability – Article 20 – enabling data subjects to receive their personal data, and to redistribute it to another controller
- Making collected data anonymous to protect privacy
- Requirements for providing data breach notifications
- Safe cross-border data transfer requirements
- The role of a data protection officer to oversee GDPR compliance
The consequences for not being in compliance with this new law are significant, and not to be taken lightly. When you’re looking at up to the greater of either €20m or 4% of global annual turnover as a fine, the stakes are high for non-compliance.
Many companies that employ best practices when it comes to data protection and processing should already be in good shape. However, everyone should make sure they study up on the language and requirements of GDPR soon to ensure they are compliant by the May 25th deadline.
Veritas has shared a good Risk and Compliance Analyzer as a great resource, and also has many resources available on their website. Microsoft has readiness information on their site as well, and of course, there is always google where you can find a plethora of other resources like the EU GDPR home page and Wired.
Whatever you do, take the time to make sure your practices and procedures are on point and in compliance with the new regulations, especially if you do business with anyone in the EU.
I’ll have to agree with your comments on the GDPR, and also add to it by stating that GDPR compliance for U.S. businesses is an overwhelming topic indeed as I’m finding that organizations really don’t know where to start. What’s the scope? What policies need to be developed? The questions are endless and it can be frustrating, to say the least. My recommendations are to first get a sense of what scope is, which begins by identifying what type of personal data do you store, process, and or transmit for EU data subjects. Just knowing that should give controllers and processors in the US – and the UK – some comfort. After that, I would move to the all-important Article 32 to see what security policies, procedures, and processes you have in place, or are missing. Good luck!