The General Data Protection Regulation (GDPR), which will take effect on May 25, 2018, is the biggest overhaul of European Union (EU) data protection law in more than 20 years. It replaces the Data Protection Directive, which was adopted in 1995, and is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy, and to reshape the way organizations across the region approach data privacy.
Not only will the GDPR affect organizations within the European Union, but it will also apply to companies outside of the region if they offer goods or services to, or monitor the behavior of, people within the EU. Another rule will make it mandatory for companies to notify their data protection authority about a data breach within 72 hours of first becoming aware of it. The processor of the data will need to notify customers “without undue delay” after learning of the breach.
What Privacy Data Does the GDPR Protect?
- Basic Identity Information: Name, Address, and ID Numbers
- Biometric Data
- Health and Genetic Data
- Political Opinions
- Racial or Ethnic Data
- Sexual Orientation
- Web Data, such as Location, IP Address, Cookie Data, and Radio-Frequency Identification (RFID)
What Companies Are Affected by the GDPR?
Any company that stores or processes personal information about European Union (EU) citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU. Specific criteria for companies required to comply are:
When Do Companies Need to be in Compliance?
Companies must be able to show compliance by May 25, 2018.
What If a Company is Not in Compliance?
The GDPR allows for steep penalties of up to €20 million or 4% of global annual turnover, whichever is higher, for non-compliance. According to a report from Ovum, 52% of companies believe they will be fined for non-compliance. Management consulting firm Oliver Wyman predicts that the EU could collect as much as $6 billion in fines and penalties in the first year.
If your organization is not in compliance by the May 25 deadline, it will not be alone. Estimates vary, but the consensus is that about half of the U.S. companies that should be compliant will not be on all requirements. According to a survey by Solix Technologies, 22% of companies were still unaware that they must comply with GDPR. Thirty-eight percent said that the personal data they process is not protected from misuse and unauthorized access at every stage of its life cycle.
What Roles within an Organization are Responsible for Compliance?
The GDPR defines several roles that are responsible for ensuring compliance: Data Controller, Data Processor, and the Data Protection Officer (DPO). The Data Controller defines how personal data is processed and the purposes for which it is processed. The Data Controller is also responsible for making sure that outside contractors comply.
Data Processors may be the internal groups that maintain and process personal data records or any outsourcing firm that performs all or part of those activities. The GDPR holds processors liable for breaches or non-compliance. It’s possible, then, that both your company and processing partner, such as a Cloud provider, will be liable for penalties even if the fault is entirely on the processing partner.
The GDPR requires the Data Controller and the Data Processor to designate a Data Protection Officer (DPO) to oversee data security strategy and GDPR compliance. Companies are required to have a DPO if they process or store large amounts of EU citizen data, process or store special personal data, regularly monitor data subjects, or are a public authority. Some public entities, such as law enforcement may be exempt from the DPO requirement.
How Should Companies Prepare for the GDPR?
- Appoint a Data Protection Officer (DPO) and Prepare them with Appropriate Training & Certification
- Conduct a Risk Assessment
- Create a Data Protection Plan
- Create a Plan to Report Your GDPR Compliance Progress
- Implement Measures to Mitigate Risk
- Set a Sense of Urgency that Comes from Top Management
Some Closing Thoughts
Essentially, there are five pieces to remember about the General Data Protection Regulation (GDPR): (1) Companies must be able to show compliance by May 25, 2018; (2) The GDPR will affect companies located in the European Union, as well as those that have operations and customers there; (3) The key principle of GDPR is giving consumers control of their data; (4) There are fines of up to 4% of total global turnover if rules in the GDPR are breached; and (5) The GDPR defines roles that are responsible for ensuring compliance: Data Controller, Data Processor, and Data Protection Officer (DPO).
Clearly, there’s a lot to learn, there’s a lot at stake, and there’s a lot of opportunity for privacy professionals with the right training and education. As an International Association of Privacy Professionals (IAPP) official training partner, New Horizons can get you the privacy training you need to help your organizations successfully manage risks and protect your data. See the complete details about our IAPP certification training courses here.