If you do business in or with the European Union there are important changes coming that will impact how your business collects, stores, and manages personal user data for citizens of EU member states.
Known as the General Data Protection Regulation (GDPR), it will require your organization to review and refine its data handling, security, privacy, and compliance procedures or potentially face hefty fines.
Ironically, GDPR is a top priority for over half of American organizations according to a recent survey, yet almost 25 percent haven’t started preparing and only 2 percent of cloud applications—including popular ones like Office 365, Google Drive, Salesforce and Dropbox— are currently compliant.
Clearly, there is a great deal of work to do and there is a lot your organization likely needs to know about the regulations so here are answers to some of the most common questions about GDPR compliance.
When Do the Regulations Come Into Effect?
The regulation was approved by the EU on April 14, 2016 and will be enforced from May 25, 2018 onwards. It replaces and upgrades the previous Data Protection Directive, which was adopted in 1995.
Who Does the GDPR Impact?
The GDPR will have an impact on any business that collects personal data from EU residents, that does business in the EU or that exports data from the EU—regardless of the company’s location.
How Do the Regulations Protect EU Citizens?
The regulations are intended to unify and strengthen data protection and retention for EU residents. It specifically strengthens data security, data privacy, and data compliance. Most importantly, the regulations ensure Right to Access, meaning that data subjects have the right to know where and when data concerning them is being processed and be granted a copy of personal data free of charge—a major shift toward data transparency.
What Are the Penalties for Not Following the GDPR?
The penalties for non-compliance can be severe but typically each case is evaluated individually as to the nature and gravity of the infringement. In severe cases, organizations in breach of GDPR can be fined 2 percent of annual worldwide turnover for the preceding financial year all the way up to 4 percent or €20 million—whichever is greater. Fines apply to both data controllers and data processors—meaning cloud organizations are not exempt from enforcement.
What Are the Main Changes a Business Needs to Make to be Compliant?
The main areas where businesses will need to make changes are:
- Disclose any breaches of personal data within 72 hours
- Allow “Right to Access” to personal data
- Allow the “Right to be Forgotten”, also known as Data Erasure
- Provide for Data Portability—a data subject’s right to move data to another controller
- Include data protection from the onset of designing systems rather than as an upgrade
The time to start on GDPR compliance is now. Speak with your executive team about the importance of GDPR and get your project and audit teams in place so you can be fully compliant by May 2018. To read more about GDPR compliance, click here.