The European Union’s Parliament approved and adopted the General Data Protection Regulation (GDPR) in April 2016. This regulation will take effect after a two-year transitional period, meaning it will be fully enforced on May 25, 2018. At this time, if organizations are non-compliant, they will face hefty fines. There is a tiered approach to these fines; however, at a maximum an organization can be charged 4% of annual global turnover or 20 million euros ($23,554,200).
The GDPR applies to all organizations that process and hold the personal information of EU residents, regardless of the company’s location. To exemplify, the regulation pertains to all organizations located within the EU, as well as organizations that are located outside of the EU that offer good, services, or observe the behavior of EU citizens. These rules also apply to both controllers and processors of information, meaning that the cloud and other technologies are not exempt from the GDPR.
If information can be used to identify a person, directly or indirectly, it is protected under the GDPR. This includes but is not limited to names, email addresses, financials, medical data, and computer IPs.
Steps to take to prepare for the GDPR:
- Perform a compliance audit against the GDPR legal framework to identify where gaps exist, then work to remediate these shortcomings.
- Classify the personal data your organization possesses that is protected by the GDPR and implement the appropriate security measures. This includes understanding what information you have, where it came from, who it is shared with, and who has access to it.
- Appoint a data protection officer for your organization.
- Document all processes and keep a record for the Data Protection Association (DPA) in the country or countries your organization conducts business.
- Make sure the appropriate contracts are in place to protect your organization and ensure that the businesses you engage with are employing the same security measures.
Infringements of the GDPR include:
- Not having sufficient customer consent to process personal information.
- Not having records in order.
- Violating the “Privacy by Design” and “Privacy by Default” concepts.
- Failing to notify the data subject and the supervising authority about a breach or incident.
- Not conducting an impact assessment.
Altogether, the GDPR is the most important change to data privacy regulations in decades. It is intended to make organizations more secure and accountable to their data subjects during all stages of their interactions. For more questions or to implement GDPR standards in your organization, please CONTACT US.