GDPR – Am I In Compliance?
The General Data Protection Regulation (GDPR) went into effect on May 25th, 2018, creating major procedural and policy challenges for companies that store and process data pertaining to residents of the European Union. The EU initiative is designed to heighten transparency and consumer control over data, and places an immediate onus on companies and marketers to achieve compliance. Whether your company has already been impacted, or you anticipate being impacted as similar regulatory changes inevitably occur in the U.S., you need to understand the GDPR and how it effects your security, marketing, and business practices. Read on to learn more about how you can become compliant.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a sweeping new set of standards concerning all companies operating within the ER, or web-based companies collecting and processing data belonging to citizens of the EU. The GDPR raises the bar for protecting customer privacy and achieving transparency in operations. Companies impacted by the GDPR are now required to meet a heightened threshold for the assurance of privacy rights, data control, security, and corporate governance.
The net effect of these standards is both an immediate impetus for impacted companies to ensure compliance, and a possible warning of change to come for companies that are not yet directly impacted. The GDPR may well be an indicator that other economies—the United States included—might soon enact their own heightened data security standards.
What Does It Mean for Me?
If you are a company based in the EU or a web-based company managing data belonging to EU citizens, you should already be compliant. A two-year grace period preceded the May 25th activation date. If you haven’t already achieved compliance, you should be well on your way, or you should be taking aggressive steps to initiate the process.
According to Forbes, failure to comply with the new regulations can result in fines as high as 20 million Euros, or 4% of a company’s global revenue—whichever is the larger of the two. There is compelling reason to achieve compliance or at least to show that you are taking real and demonstrable steps to do so.
If you are a company based in the United States and you are not yet directly impacted by the GDPR, you might at least consider this as a sign of things to come. While you are not yet legally beholden to the compliance terms laid out here below, you can consider these requirements as a roadmap for improving your own data management practices. This would put you in a prime position to make nimble adjustments when similar data protection requirements arrive in U.S. markets and elsewhere.
What Steps Can I Take To Achieve Compliance?
The GDPR now provides an array of protective parameters for any data that can be used to identify an individual, including genetic, religious, or cultural data. According to Article 1 of the GDPR, the following rules relate “to the protection of natural persons with regard to the processing of personal data and… to the free movement of personal data.”
- Hiring a Data Protection Officer (DPO)
Any company or organization larger than 10 to 15 employees must appoint a DPO. This is the individual assigned to ensure that you achieve and maintain compliance through regular and systemic monitoring of data management, storage, and protection strategies.
- Obtaining Customer Consent
GDPR heightens the requirements around achieving customer consent. Consent must now be obtained in explicit and provable form any time that customer data is collected and stored. Part of receiving consent must also include notification of any intended uses for the collected data as well as clear accommodations for those who wish to change data or withdraw consent.
- Performing Data Protection Impact Assessment (DPIA)
Your organization must perform Data Protection Impact Assessment (DPIA) at the start of each project from which personal data is permanently stored. This assessment should determine your compliance with privacy laws and regulations; identify any existing risks to customer data; and assess the protections in place to address these prospective risks.
- Reporting Data Breaches
GDPR requires that organizations suffering data breaches notify local data protection authorities within 72 hours of an attack. For many companies, this can suggest the need for an update of the technology used to detect such breaches, which can in turn demand significant infrastructural overhaul and employee training. For many companies, this step will likely prove among the more demanding and costlier adaptive challenges to achieving compliance.
- Deleting Old Data
The new Regulation discourages the unnecessary stockpiling of data by requiring companies to dispose of data that has outlived its intended purpose. Likewise, companies must be responsive to customer demands relating to the withdrawal of consent and the removal of any and all data from existing databases, data streams, and repositories.
While these steps are among the most notable and pressing, the GDPR comes with a far wider and more detailed set of requirements as well as related guidance toward achieving compliance. You can view the full text of the GDPR here.
Or, for personal guidance on your way to compliance, speak to one of our Business & Investment attorneys today: