Chances are likely that you have heard the acronym GDPR in recent news headlines. But, what exactly is this regulation and how does it impact businesses outside of the European Union?
The General Data Protection Regulation (GDPR) legislation was created back in April 2016 and is scheduled for implementation later this month (May 25th, 2018). After this date the law will officially become enforceable. The GDPR legislation was intended to create a set of standard data protection laws across all EU member countries. Additionally, it was to give individuals in the EU a better idea of how their data can be used within an international framework.
GDPR encompasses data controllers, data processors as well as the individuals from which data is being collected. The regulation revolves around protecting “personal data” which is indeed a very general term. The European Commission attempted to clarify the term as... "any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address." This classification covers a very large umbrella of data and intentionally so. The scope of who the GDPR applies to is also enormous – any company outside of the EU that handles data collected from EU residents are now in play. Effectively the GDPR is soon to be an international law.
For example, if you are a US-based marketing company that administers a customer satisfaction survey with PII from EU residents you should be compliant.
How does enforcement work for non-EU companies? Enforcing the regulation on companies outside the EU comes in the form of sanctions for non-compliance. These sanctions can be up to €20 million or 4 percent of global revenues, whichever is higher. The law as specific language written for how it will use the international courts to pursue action against non-EU companies.
GDPR’s privacy-by-design approach includes:
- Data Control
- Risk mitigation efforts
- Right to be forgotten
- Data security
- Breach notification within 72 hours
- Individual consent
If your business activities fall within the scope of these protections make sure your organization is familiar with the regulations and the jurisdiction. In our digital age we are collecting increasingly more data via cloud applications and other services so determining your potential responsibilities as either a data processor or data controller is crucial when financial penalties are involved.