On May 25th, 2018, the General Data Protection Regulation (GDPR) becomes enforceable for any company that handles the personal data of individuals in the European Union (EU). This regulation, developed as a joint effort by the Council of the EU, the European Commission, and the European Parliament, was adopted in April 2016; however, compliance will be enforced beginning this spring. What does this mean for your company’s data handling processes?
Recognizing that current data handling protocols weren’t addressed in outdated legislature, EU leaders worked for more than four years to develop an updated regulation to protect individual’s data. This includes personally identifying information such as name, address, and ID numbers; web data such as location, IP address, cookie data, and RFID tags; biometric data; sexual orientation; political opinions; and health and genetic data. The goal of GDPR is twofold: (1) to better protect and give citizens greater control over how businesses handle and use their personal data, and (2) to simplify personal data oversight regulations so that companies must comply with one standardized data protection law.
GDPR provisions include:
- Strengthened consent requirements in clear and plain language and with an easy method to withdraw consent
- Mandatory breach notification within 72 hours
- The Right to be Forgotten, which requires erasure and stopping further dissemination of personal data upon request by an individual
- Individuals can request a document stating what personal data is being processed, where, and for what purpose
- Inclusion of data protection considerations from the onset of projects
- Internal record keeping that provides evidence of compliance
Hefty GDPR Penalties
GDPR fines are steep, “Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 million (approximately $24.7 million USD), whichever is greater. This is the maximum fine that can be imposed for the most serious infringements”, making compliance crucial for companies that handle personal data from the EU. However, many companies are not on track to be compliant, and analysts predict the EU will collect nearly $6 billion in fines just in the first year.
Global GDPR Implications
So how does this regulation affect U.S. businesses? GDPR provisions cover exportation of personal data from the EU, making U.S. companies—and any business around the globe—accountable for GDPR compliance for any data transactions that involve the personal information of EU citizens. The key takeaway is that all companies need to continually evaluate their data protection efforts and either (a) confirm they do not handle EU citizen personal data or (b) urgently prioritize GDPR compliance efforts. Businesses with international operations in particular should not leave this important analysis to fate. It's critical to consult an experienced third-party that can help identify and establish data protection protocols that align with GDPR and it's compliance requirements for 2018 and beyond.