As of May 25, 2018 organizations with professional ties to the European Union will need to comply with the new General Data Protection Regulation (GDPR) standards. Maintaining compliance is required of all organizations, as well as all relevant vendors and partners, conducting business in any of the EU member states.
A recent survey conducted by the Sage Group found that 91% of American businesses lack awareness of GDPR, while 84% don’t understand the implications GDPR poses to their business.
What is GDPR?
According to the EU’s GDPR website, the GDPR legislation was designed to harmonize data privacy laws across the European Union, to empower and protect data privacy rights for all EU citizens, and to outline the ways companies conducting business in the EU must approach data privacy. The legislation was approved by the EU Parliament on April 14, 2016 and went into effect on May 25, 2018. GDPR replaces the Data Protection Directive 95/46/EC of 1995. The reform states “Stronger rules on data protection mean people have more control over their personal data and businesses benefit from a level playing field.”
Key highlights of this reform include:
- Right to Data Privacy Protection
The company collecting data must implement appropriate measures to protect all data being collected. Systems must be designed and developed to prevent breaches and protect the rights of the data subjects, access to personal data must be limited to individuals required to process or act on the data, and companies may only hold and process data which is absolutely necessary to meet its stated objectives. Companies will also be required to keep internal records on their data protection practices and procedures, such as why the data is being collected, a description of the types of data being collected, how long the data is kept, what security measures are in place to protect the data, and how the data will be disposed.
- Right to Access
Allows individuals the ability to obtain free of charge an electronic copy of all the information a company has compiled about them, including the reason why the data was collected.
- Right to be Forgotten
The right to be forgotten, also known as Data Erasure, entitles the subject to have the company erase his/her personal data and requires the organization to halt any further dissemination or processing of the data, even by third parties.
- Right to Give Consent
The GDPR specifically prohibits the use of long confusing terms and conditions statements that contain a lot of legalese and are difficult for most people to understand. When a company asks a consumer to give his or her consent to use personal information, the language “should be provided in an intelligible and easily accessible form, using clear and plan language and it should not contain unfair terms”.
- Appointment of Data Protection Officers (DPO)
For companies that conduct regular and systematic monitoring of individuals on a large scale basis or those collecting sensitive data such as medical records, children’s data, or criminal convictions or offenses, the appointment of a DPO is a mandatory requirement. Appointed DPO’s must:
- Have expert knowledge on data protection laws/practices and must stay current on any changes to these laws/practices
- Be provided with the appropriate resources to carry out their tasks
- Report directly to the highest level of management
- Be a member of the company’s staff or an external service provider
- Register with the relevant Data Protection Agency
- Not carry out any other assignments or tasks that may result in a conflict of interest
- Right to Receive Breach Notifications
Companies are required to notify all individuals affected by a data breach, where the data breach is likely to “result in a risk for the rights and freedoms of individuals”, within 72 hours of becoming aware of the breach. Data processors are also required to notify their customers “without undue delay”.
GDPR regulators have the ability to fine businesses that don’t comply with the GDPR obligations. Smaller offenses may result in fines up to €10 million or 2% of a firm’s global turnover, whichever is greater. Larger offenses my result in fines up to €20 million or 4% of a firm’s global turnover, whichever is higher.
Who is Affected by GDPR?
Any U.S. business that has a web presence (localized web content) or who markets their products via the web to anyone in any of the 28 EU member states will be affected by GDPR. Article 3 of the GDPR states that if you collect personal data or behavioral information on anyone in any EU country your company is subject to the requirements of the GDPR. It is important to note that generic marketing does not fall under the scope of GDPR.
What Steps Can I Take to Become GDPR Complaint?
- Determine if you’re a controller or a processor. The regulation breaks out responsibility for protecting data into two roles: controllers and processors, although both are liable for upholding data subject’s rights. Gain an understanding of the GDPR definitions and get advice from your legal team.
- Audit your data. Identify what data you are collecting, where you store it, why you have it, how long your keep it, and how you deleting it.
- Determine which EU member state will be your supervisory authority and appoint a representative from your company to be the point of contact for all GDPR communications.
- If applicable, appoint a Data Protection Officer.
- Update your consent forms and terms and conditions statements. Consumers must be able to select the conditions they agree with and decline those they don’t.
- Audit your third-party providers and re-evaluate service agreements to ensure GDPR compliance.
- Keep records of your company’s efforts to be GDPR compliant.