The European Parliament passed the General Data Protection Rule (GDPR) in April 2016. The law is one of the most sweeping privacy laws protecting citizens ever to be put on the books, and is scheduled to take effect on May 25, 2018.
One of the most misunderstood things about this law is that it covers EU citizen data, no matter which country the company using it is located. This means that any company in the world that stores EU citizen protected data has less than a year to come into compliance with the GDPR.
According to the GDPR’s website, “The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”
Here’s what that means.
What Data Is Protected?
The GDPR protects personal data and sensitive personal data. This includes:
- Sensitive data: Name, location, identification numbers, IP address, cookies, RFID info
- Sensitive personal data: Health data, genetic data, biometric data, racial or ethnic data, political opinions, sexual orientation
Key Compliance Points
The GDPR grants certain rights to EU citizens while putting certain rules into place for companies and government entities that handle their data:
- EU citizens have the right to access their data as well as information about how it is being used
- EU citizens can take their data to a different agency upon request
- Companies must report data breaches in a timely fashion
- Certain companies and governmental organizations must appoint a data protection officer
- EU citizens have the right to data erasure
- Companies must implement reasonable data protection measures
- Companies must assess for threats.
The High Cost of Noncompliance
Noncompliance with the GDPR will be costly. Top tier fines are set at €20 million or 4 percent of global annual turnover, whichever is greater.
According to Information Age, “At the end of 2016, a survey conducted by AvePoint on 223 respondents from multinational organizations revealed that only 26 percent kept records of data processing and transfers. This is worrying as the penalties for non-compliance are significant.”
Most organizations have started to prepare for the GDPR’s implementation, but currently in the US only 6 percent of companies are completely ready. In the US alone, nearly 28,000 data protection officer positions will need to be filled. Less than 80 percent of US businesses have begun preparations for the GDPR, though 92 percent say it is a priority.
With less than a year until implementation time is running out for many of these businesses to get with the program.
How Can Businesses Come Into Compliance?
In order to prepare, businesses must do the following:
- Hire a data protection officer
- Make a data protection plan
- Assess risk and determine where EU citizen data is being stored and how it is being used
- Implement security measures
- Assess for threats regularly
Is your business ready for the implementation of the GDPR in 2018? Learn more from the infographic below:
Infographic by Digital Guardian