Does your organization comply with the new data protection rules?
The General Data Protection Regulation (GDPR) was enacted by the European Parliament, the European Commission, and the Council of the European Union for the benefit of all European Union residents. The purpose of the regulation is to strengthen and standardize data protection and give residents of the EU more control over their data. The GDPR should also be good for international businesses because it unifies data protection standards making compliance. The regulation regulates how personal data can be exported.
The GDPR was adopted on April 27, 2016. It will be enforceable as of May 25, 2018. The regulation doesn’t require that the individual EU members pass any legislation of their own to enable the law. The GDPR replaces the current Data Protection Directive. Companies that fail to be GDPR compliant by May 25, 2018, will be subject to harsh fines and penalties.
Key provisions of the GDPR
The regulation has 91 articles. Some of the benefits of these articles are:
- The consent of the individual is required to process data.
- Subjects have the right to be notified quickly and promptly if their data is breached.
- Data should be made anonymous.
- Data transfers across borders need to be handled securely.
- Some businesses and organizations will need to appoint a data protection officer (DPO). For example, companies that handle data about ethnic origin, religious belief, health, racial, or genetic data must use a DPO.
- Any business, regardless of where it is located, that markets services or goods to residents of the EU must comply with the GDPR. This means any business that operates globally must comply with the regulation.
Residents have the right of portability, which means they can move their data between service providers more securely. In some cases, they can even ask that their data be erased.
Companies must put reasonable data protection measures in place. This includes the requirement to conduct assessments to identify consumer data risks.
Data protection duty officers ensure compliance with the GDPR and report to data subjects and to supervising authorities.
Penalties for failing to comply with the GDPR
Supervising authorities have broad powers to investigate if there is noncompliance, more powers than the prior Directive to order corrections, and the power to impose steeper powers than the earlier Directive. They can also order that data be deleted and prevent businesses from transmitting data to other countries.
Companies that fail to comply with the GDPR can be fined up to 2% or 4% of their global annual turnover, or up to 10,000,000 or 20,000,000 Euros.
A European Data Protection Board (EDPB) governs the Supervising Authorities.
Some GDPR Considerations
- The need to have a Data Protection Officer is new.
- The GDPR was enacted with cloud providers and social networking in mind.
- An Irish DPA may be advisable for non-European businesses because it’s English language-based.
- Companies previously not subject to similar data protection rules will need to spend a lot of time and effort to become compliant. Companies in compliance with current privacy policies will still need to work hard to meet the conditions of the new GDPR regulation.
