What is GDPR?
The European Union’s (EU) General Data Protection Regulation (GDPR) http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf was developed in order to address the modern challenges of data protection and privacy concerns for citizens of the EU’s member states.
Prior to GDPR, the EU had the Data Protection Act of 1998. This legislation is out of date with respect to the way personal data is stored and shared in what is now commonly referred to as “the cloud.” Examples of this are Facebook and Google. Users must share their personal information with them in order to use their services. However, it is not readily apparent how this data is exploited by them and the businesses they share it with.
GDPR is also intended to strengthen enforcement and simplify compliance requirements for businesses.
What’s the date for GDPR compliance?
The deadline for businesses to comply with the regulation is May 25, 2018.
Does GDPR apply to my company?
It applies if your business qualifies as what’s referred to in GDPR as a ‘Controller’ or ‘Processor’ of personal information of citizens of the member states of the EU.
Definitions of Controller and Processor from GDPR:
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;”
Provided the data a business is handling belongs to citizens of the EU, the business itself does not need to be located in the EU. Example: if a company with headquarters in the US does business with citizens of the EU, even if it doesn’t have a physical location there, it is responsible for complying with GDPR provided it meets the definition of a controller or processor.
This may apply to my business, but what happens if I don’t comply?
A fine of €20 million (~$21.4 M) or 4% of your global annual revenue, whichever is greater, could be levied by the appropriate data protection authority.
How do I prepare my business for GDPR compliance?
As with any compliance regulation or mandate, the first step is assessing the data. Validating the information your company stores, understanding how it is handled and retained, and determining whether it contains personal information on EU citizens is the first step.
Sera-Brynn is experienced in mapping data flows and evaluating risks. Call us today if you’re concerned about the implications of GDPR on your business.