In just about seven months, on May 25, 2018 to be exact, it’s going to get real in the EU. The General Data Protection Regulation (GDPR) will replace the existing Data Protection Directive when it comes to regulating how companies protect the personal data of EU citizens.
The purpose of this law, and its strict penalties, is to create a more consistent protection of data across the EU nations. It will create a baseline, if you will, of standards for companies to better safeguard the processing of personal data, and frees the member states from having to draft their own compliance laws, risking inconsistencies across borders.
GDPR is not only for companies physically located in the EU Nations, but for all businesses and organizations that market goods or services to EU residents, regardless of where they are located. Hence why there is such a global interest in this new law taking effect next year.
While the law itself is lengthy reading, some of the key points include:
- Clear consent for data processing must be obtained from subjects
- The right to be forgotten – Article 17 – entitling data subject to have personal data erased, among other things
- Right to data portability – Article 20 – enabling data subjects to receive their personal data, and to redistribute it to another controller
- Making collected data anonymous to protect privacy
- Requirements for providing data breach notifications
- Safe cross-border data transfer requirements
- The role of a data protection officer to oversee GDPR compliance
The consequences for not being in compliance with this new law are significant, and not to be taken lightly. When you’re looking at up to the greater of either €20m or 4% of global annual turnover as a fine, the stakes are high for non-compliance.
Many companies that employ best practices when it comes to data protection and processing should already be in good shape. However, everyone should make sure they study up on the language and requirements of GDPR soon to ensure they are compliant by the May 25th deadline.
Veritas has shared a good Risk and Compliance Analyzer as a great resource, and also has many resources available on their website. Microsoft has readiness information on their site as well, and of course, there is always google where you can find a plethora of other resources like the EU GDPR home page and Wired.
Whatever you do, take the time to make sure your practices and procedures are on point and in compliance with the new regulations, especially if you do business with anyone in the EU.