As we near the enforceable date of May 25th, it seems that GDPR is the buzzword of the month. But what is it? And, more importantly, what does it mean for your business?
Doing your research and preparing now will not only help you stay compliant yourself, but also answer any questions your clients have about how you’re handling their personal data.
In short, the GDPR stands for the General Data Protection Regulation and is a regulation in the European Union law. Developed in order return the control of data back to consumers, it also serves to simplify the regulatory environment around the world by simplifying and unifying the regulation within the EU.
While it may seem to be a recent focus for businesses and in the press, it was actually adopted over two years ago – in April of 2016. The renewed exposure is due to the fact that the regulation becomes enforceable on May 25th, 2018, after a two-year transition period.
The GDPR protects consumers’ personal data, which could be a wide-ranging list depending on how the governing body chooses to enforce it. In general, the GDPR aims to guard basic identity information (name, address, ID numbers), web data, biometric data, health and genetic data, racial or ethnic data, sexual orientation, and political opinions.
In order to protect that data, the regulation outlines the lawful basis for processing, definition of consent, guidelines to follow in the event of a data breach, among other requirements for compliance.
One example of a GDPR requirement is the right to be forgotten. This compels companies to erase personal data upon consumer request. The regulation also requires that data be stored “in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.”
Additionally, some companies are required to appoint a Data Protection Officer to oversee GDPR compliance and data security. The International Association for Privacy Professionals estimates that nearly 30,000 companies will need to hire a DPO.
Potentially the biggest area for concern lies in Articles 25 and 32. Here, the GDPR outlines the expectation of companies to be able to provide a “reasonable” level of data protection. However, the definition of “reasonable” is open to interpretation by the GDPR governing body.
You may be thinking, “Whew – I’m not based in the EU, glad I don’t have to worry about compliance.” You may be right. However, if you have a presence in an EU country, process personal data of European residents, or have more than 250 employees, you are required to comply.
Furthermore, the GDPR holds both data controllers and data processors liable for compliance. That means that if you’re using a third-party processing service that is not in compliance, your business is not in compliance.
Ultimately, the goal of the GDPR is to force companies to change the way they process, store, and protect personal data. As a result of these requirements and fines, nearly 85% of US based companies believe that the GDPR will put them at a disadvantage to European companies, according to a study by Ovum.
Governed by a group of Supervisory Authorities (one for each member nation), the GDPR gives these representatives the ability to conduct audits, review certifications, issue warnings, impose limitations, suspend data flow that is found non-compliant, and impose administrative fines.
Those administrative fines can be extremely high – in some cases as much as 4% of a business’ global revenue or $20 million, whichever is higher.
Management consulting firm Oliver Wyman predicts that the EU could collect as much as $6 billion in fines and penalties in the first year. Don’t let your company be among them!