The EU GDPR (which replaces the previous data protection directives 95/46/EC) was approved by the EU parliament in April, 2016 with an associated enforcement date of May 25, 2018. If you are looking for immediate help with GDPR compliance, click here.
Why is the EU General Data Protection Regulation (GDPR) going into effect?
The EU GDPR was designed to protect and empower all EU citizens’ data privacy rights and to restructure the way global enterprises approach EU citizens’ data privacy.
Is my company in-scope of GDPR?
Any company that offers goods or services or monitors the behavior of EU data subjects, is in-scope of the regulation. The key component of GDPR is that there is no geographical threshold, meaning regardless of the company’s location, if they meet the above criteria, they are considered in-scope of the regulation. It is important to note that the EU Parliament separate controllers and processors as different entities interacting with EU personal data.
What is considered personal data?
In general, personal information is any piece of information that relates to an individuals identity. Here are some high level examples:
- First and last name
- Phone numbers
- Photo or visual connection
- Email address
- Computer internal protocol (IP) information
- Professional occupation information
- Social account information
- Banking information
- Medical information
Do data processors need explicit consent from EU data subjects to process data?
In general, yes. The law has been strengthened to refine the common “terms and conditions” we all accept on a daily basis. There needs to be “unambiguous” terminology associated with the “opt in” of data subjects’ processing. Consent must be clear and distinguishable from other matters in the “opt in” contract, and must use clear and plain language to describe the consent.
What is the difference between a controller and a processor?
An entity that determines the purposes, conditions and means of the processing of personal data.
An entity which processes personal data on behalf of the controller
What are the penalties of non-compliance?
In general, if a company is found to not be within compliance of the GDPR, fines of up to 4% of annual turnover (max of 20 million euro) can be applied to the penalty. The complexity of the regulation lead the EU Parliament to implement a tiered approach to fines:
- If a company is found to not have records in order, there can be a 2% penalty applied (article 28)
- Not notifying supervising authorities about a data breach within 72 hours is accompanied by a 2% fine
What should companies be doing now to ensure compliance?
The best way to approach a new regulation, is to first get an understanding of your already existing potential risk of non-compliance. This is where supplier engagement, data collection and analysis is critical for minimizing risk by gathering current relevant data.
The goal is to determine if your suppliers understand the regulation, know how to do their own due diligence on their compliance status, and ultimately send that accurate information back to you. As your supplier count goes up, however, channeling communication and organizing results and creating meaningful risk-based reports can be tremendously challenging. In response to client requests, and an overall industry need, we’ve developed the GDPR compliance program.
The GDPR compliance program is a specialty solution we’ve created to help companies understand their current standing with GDPR compliance, and develop a corrective action plan if non-compliance information becomes known. To learn more about our process and how to keep your company ahead of compliance as we approach the May 25, 2018 implementation period, click here.