The start date for the enforcement of the European Union’s General Data Protection Regulation (GDPR) is just around the corner, on May 25th, 2018. The regulation, which was created to protect EU citizens’ personal data, applies to all businesses who interact with EU residents. Non-compliance will be dealt with harshly.
If your business processes any transactions with EU citizens, it’s important to know what the GDPR is and what it means for your company. To help, we’ve gathered the facts about the GDPR, so you’re well-informed before the enforcement date.
What is the General Data Protection Regulation (GDPR)?
The GDPR is a regulation adopted by the European Parliament in 2016. It replaced an outdated data protection directive from 1995. It includes provisions that make it mandatory for businesses to protect the personal data of EU citizens for transactions occurring inside and outside of the EU.
The GDPR provides consistency across all EU states by having only one standard for businesses to meet. However, that standard will likely prove to be very high, requiring many businesses to make a large financial investment to administer and comply with. This standard may cause U.S. businesses to reconsider their European strategy.
What are the Requirements of the GDPR?
There are 99 articles in the GDPR that define the requirements for compliance. The following are the ones with the biggest impact on businesses:
Article 5, Processing and storing personal data – This article says that all personal data must be processed transparently and lawfully, and only for the individual’s specified purposes. Additionally, the data is required to be stored “in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed.”
Articles 6, 7, 8, Consent – Any personal data collected must be done in compliance with the regulation, necessary to the transaction, and have the individual’s consent to use.
Article 15, Right to access – This entitles EU citizens to know (upon request) what personal data a company is utilizing and how it is used.
Article 17, Right to be forgotten and to data erasure – EU citizens can expect companies who have collected personal information to stop processing and delete the data upon the individual’s request.
Article 20, Right to data portability – Citizens of the EU are able to transfer their personal data from company to company upon request.
Articles 25, 32, Data protection – Businesses must provide a “reasonable” level of data protection and privacy to EU citizens.
Articles 33, 34, Reporting data breaches – Businesses must report any data breach to the appropriate authorities and the affected individuals within 72 hours of the breach.
Article 35, Impact assessments – Companies are required to conduct data protection impact assessments and identify risks to EU citizens. They must also provide details about how those risks are being addressed.
Articles 37, 38, 39, Data protection officers – Some companies are required to appoint a data protection officer (DPO). Companies who process or store large amounts of EU citizen data, process or store special personal data, regularly monitor data subjects, or are a public authority are among the individuals who will have to have a DPO to ensure compliance with the GDPR.
Article 50, International companies – International businesses that gather or process data of EU citizens are required to comply with the GDPR.
Article 83, Penalties – Businesses can be fined up to €20 million or 4% of global turnover, whichever is more.
What are the Benefits of the GDPR?
While the regulation may be strict, with harsh penalties, there are also some benefits for staying in compliance with the GDPR.
Better data governance – The GDPR tenets are designed to protect the personal data of EU citizens. When your business complies with the rules to protect all customers, you will also improve overall data organization and management.
Improved public image – All customers want to know their personal information is safe and secure. When you comply with the GDPR and apply the measures to all customers, it will improve your overall trustworthiness with the public as a whole.
Improved IT – You may have to update or upgrade IT infrastructures to stay in compliance with the GDPR. This will protect your overall business from possible data breaches.
Final Thoughts on GDPR Compliance
It all depends on how these changes will affect your business. Each business handles customer data differently. GDPR is not something to ignore. You may not need to make many adjustments to be compliant. Even if there aren’t many changes needed, it is an opportune time to recheck privacy policies and make sure you’re doing everything possible to keep customer information safe.