Do you collect data on European citizens? If yes, there have been a lot of changes in the last 12 months that you should be aware of, including the announcement of the General Data Protection Regulation.
Following is some basic information that will help you better understand GDPR.
This is certainly not everything you need to know about European privacy laws, and it isn’t intended to substitute for legal guidance, but if you think this affects you and your business read on - and then reach out to your legal counsel to get additional details as necessary.
You can also download our GDPR compliance checklist which will help you get started on identifying problem areas and building guidelines for your company.
What is GDPR? The General Data Protection Regulation (GDPR) regulates how companies need to protect EU citizens’ personal data. It was passed by the European Union in 2016 and enforcement begins on May 25, 2018.
Who does this regulation apply to? It "…applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location."
What’s the bottom line? if you handle Personally Identifiable Information (PII) of EU citizens, you must comply with the GDPR. The fines for non-compliance are huge.
"Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater)."
Here's a summary of the rights that the GDPR provides for “data subjects” (i.e. people):
Breach Notification. Data breach notification is mandatory within 72 hours of becoming aware of the breach. Subjects, clients, customers must be notified.
Right to Access. People have the right to obtain the data about them that a company is holding and be told where the data is housed and for what purpose. The company is required to provide a copy of that data, free of charge, in electronic format upon request.
Right to be Forgotten. People have a right to require data controllers to erase their personal data under their control.
Data Portability. Data must be in a common format.
Privacy by Design. The controller “shall implement appropriate technical and organisational measures . . . in an effective way . . . in order to meet the requirements of this Regulation and protect the rights of data subjects” Controllers should hold and process only the data required for the provided service and limit access to personal data to those who are required to interact with it.
Data Protection Officers. The Regulations require a PO only of large-scale processors or those deal with criminal convictions or offences.
For more information, you can visit the EU’s website http://www.eugdpr.org/ and of course, feel free to reach out to us if you want to discuss how we can assist!