The European Union (EU) has made bold strides toward the protection of personal information and privacy from businesses that collect and store data. The General Data Protection Regulation (GDPR) takes effect on May 25, 2018, and it has implications for all US companies with connections to EU citizens.
GDPR Data Protections
Companies collecting data on EU citizens are required to comply with the GDPR no later than May 25. The GDPR, the result of years of work across the EU, should bring data protection regulations in line with current uses of personal data as well as forecasted needs. The rules should set a new standard for protecting consumer rights. However, the new legislation could find some companies struggling to comply without new systems and processes for data protection.
The GDPR requires protection for any transaction that occurs within the EU member states or with any citizen located within the EU as well as data exported from the EU. These requirements are consistent for all 28 countries in the EU and are quite strict compared to previous standards. Most companies will, therefore, have to make significant changes to meet the new requirements.
Companies are already required to protect personally identifiable data, but the GDPR takes a wider stance as to what constitutes “personally identifiable.” The new standard moves beyond Social Security numbers and names to include individual IP addresses, cookie data, and much more. The GDPR protects basic identity information, web data, health and genetic data, biometric data, racial and ethnic data, political views, sexual orientation, and much more.
Protections outlined in the GDPR include requiring consent for the processing of data, protecting privacy by anonymizing personal data, giving timely data breach notifications, handling data transfers safely, and requiring certain companies to oversee GDPR compliance with a specifically-appointed data protection officer.
How Companies Should Comply with the GDPR
If your company stores or processes any of the personal information above about EU citizens residing within EU states, you must comply with the GDPR. These new regulations will impact an estimated 65 to 90 percent of US companies.
Security teams will have new concerns and expectations to comply with the GDPR. Not only must companies show compliance from data controllers, processors, and protection officers but also holds companies responsible for contractor compliance. The new regulations make third-party processors just as liable as the corporations for whom they work.
Your company may need to employ a data protection officer (DPO) if you handle large amounts of data from EU citizens. Any contracts with existing external contractors must clearly outline compliance expectations and responsibilities.
