As the European Union (EU) has enacted the General Data Protection Regulation (GDPR), it is easy to perceive this regulation would apply to only multinational or European companies. GDPR will certainly impact businesses in EU; but it will extend its applicability for international businesses who obtain information about EU citizens.
GDPR is all about protection of consumer data, in other words personal data of consumers that businesses will collect in EU. This includes basic identifiable information such as name, address and ID numbers but expands it to include web data such as location, IP address, cookie data and RFID tags. Any other generic data such as health or biometrics, racial or ethnic data and political, religious beliefs, trade union membership, etc. are also considered as personal data.
EU regards protection of personal data as a fundamental right of its citizens. It had a data protection directive issued in 1995, which became outdated with the advancement in technology. Therefore, it has issued this comprehensive regulation.
Compliance is expected to be in place by May 2018.
Being a new regulation with extra territorial implications within the international trade, GDPR is expected to develop as it unfolds. Some of the key features are:
Within 72 hours of becoming aware of a breach, the data controller is required to provide a notification to the data subject and to the corresponding Data Protection Authority (DPA) (each member country has their own DPA offices).
The regulation has penalties for non-compliance. Maximum fines for under GDPR organizations in breach of GDPR can be up to 4% of annual global turnover or €20 Million (whichever is greater).
If you believe you collect personal data in your course of business, and that personal data would include EU citizens, you should have started your compliance program by now. The risk of non-compliance is not only from EU enforcement agencies, but also from consumers as EU citizens may prefer to buy goods and services from GDPR compliant businesses. U.S. companies not demonstrating compliance could be at a disadvantage. While compliance is not required, it’s equally important to demonstrate compliance or efforts towards compliance.
No. You may already have some privacy and confidentiality related policies in place. Begin with an understanding of where you are right now (through internal analysis) and where you need to be (through understanding of regulation). Simpler said than done, mobilize resources before consumers come asking. If you think you are not ready, take steps to prepare. Combining GDPR compliance with overall cybersecurity initiatives will bring in much needed efficiency. There are more data facts to protect because of GDPR and understanding where the critical data rests and is transported is fundamental to both GDPR and overall cybersecurity preparedness.
Check and see if your organization has any cyber policies and procedures in place. Do those policies and procedures align to the compliance needs of GDPR? As mentioned, you may already have the required elements in place but need to enhance some areas. If you need guidance on ensuring compliance or need additional assistance, Withum’s Cyber Secure team can assist your organization to comply.
Is your organization GDPR compliant? Schedule a consultation or contact Withum’s Cyber Secure Services at 609-514-5597.