The European Union has updated its consumer data privacy regulations. The General Data Protection Regulation (GDPR) is a robust piece of legislation that’s setting a new standard for how EU companies manage and protect their customers’ data. The EU is known for imposing considerably more strict cybersecurity protocols compared to the U.S. But many of the companies that conduct business in the EU do not have the digital infrastructure in place to comply with the new law. And time is running out. Since adopting the GDPR in April of 2016, the EU wants companies to be GDPR-compliant by May 25th of 2018. So, if your company is conducting online transactions in the EU, you should take a moment to learn about the GDPR and the steps you can take to comply with the law.
What Is the GDPR?
The GDPR is a comprehensive set of cybersecurity guidelines that’s designed to help companies protect the data it collects from EU citizens. Previously, EU companies referred to an old data protection provision from the mid-1990s. But the internet has evolved considerably since then, and more consumers are becoming increasingly concerned with how companies are monitoring and collecting their data.
The GDPR will serve as the main data privacy regulation for the EU, including all 28 of its member states. It mandates that all companies conducting online transactions in the EU provide a “reasonable” level of protection for its citizens’ personal data, but the phrase “reasonable” leaves a great deal to interpretation. Despite this gray area, companies can begin updating their digital infrastructure by understanding the basic features of the law.
The regulation covers a wide a set of data collection, including information that falls into the following categories:
- Information regarding the user’s identity such as a person’s name and address, racial identity, sexual orientation, or immigration status
- Web access location data such as IP addresses, cookie data and RFID tags
- Health and biometric data
- Political affiliation
The GDPR lays out the following requirements:
- Companies can only collect personal data if they have the individual’s permission.
- The data can be stored for “no longer than is necessary for the purposes for which the personal data are processed.”
- All personal data must be made portable, so that it can transfer from one company to another.
- Companies must erase personal data if the individual makes such a request.
- Companies must report data breaches to supervisory authorities and those affected by the breach within 72 hours of when the breach was first detected.
- Companies must inform their customers of their rights under the GDPR.
- Companies must perform regular impact assessments by identifying vulnerable areas and implementing solutions to fix them.
Who Needs to Comply with the GDPR?
Any company that collects or stores the personal data of EU citizens will need to comply with the law. If your company meets one of the following requirements, it will need to be GDPR-compliant by May 25.
- Any company with a presence in the EU
- Any company that processes the personal data of EU citizens
- Any company with over 250 employees
- Any company with less than 250 employees that regularly processes personal data in a way that could impose on the freedoms of its data subjects or a company that collets certain types of sensitive personal data.
With companies collecting so much personal data during every transaction, this new regulation will affect just about every company with a digital presence in the EU.
The GDPR equally effects both data controllers, the company that owns or collects the data, and data processors, additional companies that help manage and organize the data. If a company works with third-party vendors, SaaS providers, payroll providers, or a cloud data storage company, they need to make sure that all parties with access to customer data are meeting the requirements of the GDPR.
What Are the Consequences for Not Complying with the GDPR?
Companies that do not comply with the GDPR by the May 25 may be fined up to €20 million or 4 percent of global annual turnover, whichever is higher. As hundreds of companies struggle to meet the upcoming deadline, the EU will have to deal with a glut of noncompliant parties. Industry experts believe that the EU will target the largest non-compliant companies first, possibly collecting as much as €6 billion in penalties in the first year.
There is some debate as to how companies will be fined for minor infractions or breaches that do not negatively impact the lives of EU citizens. The EU will need to reassess its enforcement policies once the law goes into effect. The government may adopt a zero-tolerance policy, penalizing all non-compliant companies equally.
How Can Companies Comply with the GDPR?
Companies unsure of how they can comply with the new law should focus on the following priorities:
Update Client Contracts
Every client contract needs to reflect the changes brought about by the GDPR. IT and data security professionals should first establish a data process that complies with the law and update all client contracts accordingly.
Make GDPR Compliance a Priority for Every Department
At most companies, the IT department is not adequately equipped to handle these changes by itself. Every department at the company should be responsible for complying with the law, including marketing, finance, and sales. The GDPR will affect just about every department at the company and adopting these new policies will be a group effort.
Hire a DPO
A DPO or data protection officer will be the company’s first line of defense against GDPR noncompliance. This person may be someone who already works for the company, a remote part-time employee or third-party consultant.
The GDPR means a lot of companies in the EU and abroad will need to reassess their cybersecurity and data collection policies, all the while adhering to a tight deadline. As overwhelming as this process can be, companies that will be affected by the law may want to contact a data collections expert for additional assistance.