GDPR: What Is It and Will It Bring a Change to Data and Security Practices in the U.S.?

As the European Union (EU) has enacted the General Data Protection Regulation (GDPR), it iseasyto perceive this regulation would apply to only multinational or European companies.GDPR will certainly impact businesses in the EU, but it will extend its applicability to international businesses that obtain information about EU citizens.

GDPR is all about the protection of consumer data, in other words, personal data of consumers that businesses will collect in the EU. This includes basic identifiable information such as name, address and ID numbers but expands it to include web data such as location, IP address, cookie data and RFID tags. Any other generic data such as health or biometrics, racial or ethnic data and political, religious beliefs, trade union membership, etc. are also considered personal data.

EU regards the protection of personal data as a fundamental right of its citizens. It had a data protection directive issued in 1995, which became outdated with the advancement in technology. Therefore, it has issued this comprehensive regulation.

Compliance is expected to be in place by May 2018.

Being a new regulation with extra territorial implications within the international trade, GDPR is expected to develop as it unfolds. Some of the key features are:

Within 72 hours of becoming aware of a breach, the data controller is required to provide a notification to the data subject and to the corresponding Data Protection Authority (DPA) (each member country has its own DPA offices).

The regulation has penalties for non-compliance. Maximum fines for GDPR organizations in breach of GDPR can be up to 4% of annual global turnoveror€20 Million (whichever is greater).

If you believe you collect personal data in your course of business, and that personal data would include EU citizens, you should have started your compliance program by now.The risk of non-compliance is not only from EU enforcement agencies, but also from consumers as EU citizens may prefer to buy goods and services from GDPR compliant businesses. U.S. companies not demonstrating compliance could be at a disadvantage. While compliance is not required, it’s equally important to demonstrate compliance or efforts towards compliance.

No. You may already have some privacy and confidentiality-related policies in place. Begin with an understanding of where you are right now (through internal analysis) and where you need to be (through the understanding of regulation). Simpler said than done, mobilize resources before consumers come asking. If you think you are not ready, take steps to prepare.Combining GDPR compliance with overall cybersecurity initiatives will bring in much-needed efficiency. There are more data facts to protect because of GDPR and understanding where the critical data rests and is transported is fundamental to both GDPR and overall cybersecurity preparedness.

Check and see if your organization has any cyber policies and procedures in place. Do those policies and procedures align to the compliance needs of GDPR? As mentioned, you may already have the required elements in place but need to enhance some areas. If you need guidance on ensuring compliance or need additional assistance, Withum’s Cyber and Information Security Services team can assist your organization to comply.