General Data Protection Regulation [GDPR]: Your guide to stay compliant
What is GDPR
In April 2016, the European Parliament adopted a new data protection law to replace the aging directive from 1995. The provisions and focus of the new law require businesses to protect the personal data and privacy of all EU citizens for transactions occurring within EU member states. This includes the regulation of personal data exportation outside of the EU.
In May 2018, GDPR officially came into effect. All 28 EU member states now had one standard to for companies to meet to remain compliant. This standard is very high and has required companies to invest in order to meet and administer the new directive.
It has been reported that two thirds of U.S. companies believe GDPR will require them to change their thinking regarding business strategy in Europe. Up to 85 per cent of U.S. companies saw themselves at a competitive disadvantage with European companies if compliance was not adopted in their own businesses.
Why did the law change
It all boiled down to the public’s concern over privacy. Historically, Europe has played a more stringent role when it came to data privacy rules enforced on companies. The GDPR is an updated version of data privacy that incorporates the explosion of the internet/online business hub that exists today. At the time (1995), no one saw the extent to which online sales and personal information collection, transfer and storage would become twenty plus years in the future.
The concern in the past few years has been significant. Lost banking information, lost security information (i.e. passwords) and lost identity information (i.e. passports, licenses) were all top of mind in the public domain.
A key driver toward GDPR is that an astounding 62 per cent of the public intended to hold a company liable for a breach and not the hacker. The lack of trust was growing each year as was the support of legal precedents holding companies responsible for not ensuring proper security measures to protect personal data.
So what privacy data does GDPR protect
· Identity information – name, address and related ID numbers
· Web data – location, IP address, cookie data and RFID tags
· Health, genetic and biometric data
· Racial and/or ethnic data
· Political opinions
· Sexual orientation
What companies are affected by GDPR
GDPR affects any company that stores or processes personal information concerning EU citizens within the EU states. This includes companies that do not have a business presence in the EU.
Here’s a quick glance at the criteria:
· A presence in an EU country
· No presence but processes personal data of EU citizens (residents)
· More than 250 employees
· Fewer than 250 employees but its data process impacts and rights and freedoms of EU data subjects used more than a few times.
When was the effective date of compliance
GDPR came into effect May 25, 2018
Who is responsible in a company to ensure compliance
This of course depends on the size of your company. There are certain roles that are responsible for those companies able to retain the new positions. They include a data protection officer (DPO), data controller and data processor.
Data processors may be an individual or a group assigned to maintain the process of personal data protection including oversight and responsibility of assigning a third party to perform those activities. The GDPR holds all processors liable for breaches and non-compliance. It is entirely possible that even though the third-party processing partner was negligent, the company will also be held responsible.
The data controller’s role in the above scenario is to ensure outside contractors are compliant. They will also work with the data processor to designate a DPO to oversee security of the data and develop the strategy forward in meeting and maintaining GDPR compliance.
If a business processes mass volumes of EU citizens data, process and/or store personal EU citizen information, a company is liable to assign a DPO.
What about third-party contracts
GDPR holds data controllers (company owning the data information) and data processors (third-party used to help manage the data) equally responsible. Any third-party not in compliance means the company will not be compliant.
Reporting of breaches is under new strict rules that include third-parties and timeliness of the report. It also affects the obligation of the company to inform customers of their rights under GDPR.
GDPR is the new way forward concerning not only EU citizens their data protection rights but will also act as a template for many countries to adopt. It is here and it is not an option to leave out of your business.