Note: You can read my full analysis of the GDPR here.
The General Data Protection Regulation (GDRP), a new European Union regulation with global implications, is set to go into effect on May 25th. In this post, we highlight some of the new data privacy requirements brought on by the GDPR and what you can do to prepare for the most important change in data regulation in 20 years.
What Is It?
The GDPR, which replaces the Data Protection directive 95/46/EC, aims to standardize various protections for consumer and personal data of EU citizens across EU member states. The GDPR defines personal data as “information relating to an identified or identifiable natural person, ”which includes basic information like name and email address, but also extends into grayer areas like IP addresses and device ID.
It is important to note that while the GDPR is a European Union-based regulation, any corporate entity that markets or sells goods or services to EU residents is also subject to compliance of this regulation, which means there is good chance that your organization will be affected in some way or another.
Key Requirements of the GDPR
The GDPR itself is comprised of 11 chapters and 91 articles. While the entirety of the regulation has the potential to significantly impact businesses, the following are some of the key requirements companies need to be aware of:
- Increased territorial scope and extra-territorial applicability
- Increased scrutiny of distinction and liabilities between data controllers and data processors
- Increased penalties for violations and non-compliance
- Expansion of data subject rights including the right to access and right to be forgotten
- Providing prompt declaration and notifications in the event of a data breach
- Requiring certain organizations to appoint a Data Protection Officer
What Does It Mean For Me?
As previously stated, the GDPR not only applies to EU nations, but to any organization that processes the personal data of EU residents, regardless of their physical location. This includes companies that offer goods and services to EU citizens (regardless of whether a payment or transaction takes place) as well as companies that monitor behavior that takes place within the EU. According to the official GDPR website, “non-EU businesses processing the data of EU citizens will have to appoint a representative in the EU.“ If your company collects data on EU residents, some aspects of the GDPR will apply to you, although the full extent won’t be known until the regulation goes into effect.
What Can I Do to Prepare?
Although the deadline for GDPR compliance is just two months away, there are many steps an organization can take to ensure that they will be ready for when the law comes into effect. The first step you can take is to better familiarize yourself with the law and how your company might be affected By being knowledgeable of the legislation and some its provisions, you can start championing GDPR compliance within your organization so that everyone understands the rules surrounding the regulation.
Another great step to take in preparation for the GDPR is an evaluation of your company’s current privacy policies. Privacy policies are often forgotten in the day-to-day business, but with many of the GDPR’s provisions directly affecting customer data, it might be worth revisiting and potentially updating. Another prudent step is to review how your organization handles website cookies, as the GDPR guidelines for data subject consent are extremely strict.
Finally, if your organization is concerned with fines and penalties as a result of data breaches, working with an experience cyber-security firm may be extremely beneficial. They will able to work with you and review your current systems to make sure that you won’t be in violation.
Is your organization ready for the GDPR? Leave a comment below to let us know what steps you’ve taken to ensure your compliance.