The General Data Protection Regulation (GDPR), agreed upon by the European Parliament and Council in April 2016, will replace the Data Protection Directive 95/46/ec in Spring 2018 as the primary law regulating how companies protect EU citizens' personal data. Companies that are already in compliance with the Directive must ensure that they are also compliant with the new requirements of the GDPR before it becomes effective on May 25, 2018. Companies that fail to achieve GDPR compliance before the deadline will be subject to stiff penalties and fines.
GDPR requirements apply to each member state of the European Union, aiming to create more consistent protection of consumer and personal data across EU nations. Some of the key privacy and data protection requirements of the GDPR include:
Simply put, the GDPR mandates a baseline set of standards for companies that handle EU citizens’ data to better safeguard the processing and movement of citizens’ personal data.
The purpose of the GDPR is to impose a uniform data security law on all EU members, so that each member state no longer needs to write its own data protection laws and laws are consistent across the entire EU. In addition to EU members, it is important to note that any company that markets goods or services to EU residents, regardless of its location, is subject to the regulation. As a result, GDPR will have an impact on data protection requirements globally.
The GDPR itself contains 11 chapters and 91 articles. The following are some of the chapters and articles that have the greatest potential impact on security operations:
In comparison to the former Data Protection Directive, the GDPR has increased penalties for non-compliance. SAs have more authority than in the previous legislation because the GDPR sets a standard across the EU for all companies that handle EU citizens’ personal data. SAs hold investigative and corrective powers and may issue warnings for non-compliance, perform audits to ensure compliance, require companies to make specified improvements by prescribed deadlines, order data to be erased, and block companies from transferring data to other countries. Data controllers and processors are subject to the SAs’ powers and penalties.
The GDPR also allows SAs to issue larger fines than the Data Protection Directive; fines are determined based on the circumstances of each case and the SA may choose whether to impose their corrective powers with or without fines. For companies that fail to comply with certain GDPR requirements, fines may be up to 2% or 4% of total global annual turnover or €10m or €20m, whichever is greater.
In addition to EU members, it is important to note that any company that markets goods or services to EU residents, regardless of its location, is subject to the regulation. By complying with GDPR requirements, businesses will avoid paying costly penalties while improving customer data protection and trust.
Now that this privacy regulation is active, websites that do not comply will be inaccessible in European states. Most notable among the list of sites temporarily blocked were the Chicago Tribune and LA Times. If your organization’s site collects any of the regulated data from European users — it is liable to comply to GDPR.
Increased public and political scrutiny have thrown American data privacy into the spotlight. At the moment, there is no federal data privacy legislation. However, there have been increasing discussions on the topic. The conversation took a high profile turn with the congressional hearings of Facebook founder Mark Zuckerberg. Many states have instituted laws of their own, the most notable to date being the California Consumer Privacy Act.
According to an Ovum report, about two-thirds of companies in the United States may be rethinking their strategy in Europe as a result of GDPR. However, as companies anticipate an increase in data privacy regulations in the United States, some are realizing that it may be time to implement more stringent data protection measures across the board.
All organizations, from small businesses to large enterprises, must be aware of all GDPR requirements and be prepared to comply with them going forward. For many of these companies, the first step in complying with GDPR is to designate a data protection officer that will build a data protection program to meet GDPR requirements. Once compliant, it is important to stay informed of changes to the law and enforcement methods. The BBC has a GDPR topic page covering current news stories around enforcement and other subjects.
1. Physically Read the GDPR
While there are sections which are difficult to decipher and feature more legal language, every person in a position to be affected by GDPR should attempt to read and understand this landmark legislation.
2. Look to Other Organizations
Businesses all over the world are affected by GDPR, not just those in the European Union. If you, or those in your organization, still lack understanding about the needed steps to reach compliance — reach out to those who are compliant. Many businesses will likely share the steps taken to reach compliance.
3. Pay Close Attention to Your Website
Cookies, opt-ins, data storage and more are things that can be easily setup on a website. Their compliance with GDPR is another matter entirely. While many tools used to collect and store contact data have allowed for compliance, it’s up to you to make sure you’re compliant.
4. Pay Closer Attention to Your Data
All data in your organization must comply with GDPR if you have a presence (either digitally or physically) in the E.U. Properly map out how data enters, is stored and/or transferred and deleted. Knowing every route personal information can take is vital to preventing breaches and ensuring proper reporting in the event of data loss.
Become GDPR & CCPA Compliant without paying thousands.
Works with the latest Wordpress version 5.4.
Includes opt-in modal to ensure compliance.
Destroys all 3rd-party trackers when visitors opt-out.
Receive every week a new article from our privacy experts