As the EU General Data Protection Regulation (the “GDPR”) compliance deadline rapidly approaches, many U.S. companies are struggling to understand how this new regulatory scheme will affect their businesses. The reality is, those companies governed by the GDPR will be required to undergo a radical change in how they view data privacy and security. In the past, many companies saw the data they collected and processed to be a company owned asset. The GDPR sets a new standard for consumer rights for those companies collecting data on citizens in European Union (EU) countries; the GDPR views “personal data” as belonging to the individual rather than to the companies collecting such information.
What is GDPR
In April 2016, the European Parliament adopted the GDPR, thereby replacing Directive 95/46/EC (the “Directive”). The Directive’s intent was to protect the personal data of European citizens; however, it did not apply to each Member State until incorporated into the state law of each individual member. Moreover, each Member State legislature interpreted the Directive differently, resulting in a "patchwork" of data privacy/protection compliance obligations. This disjointed approach to data protection was a nightmare for companies conducting business in the EU. The GDPR, therefore, seeks to harmonize data protection in the 28 EU Member States.
What Companies are Affected by GDPR
The starting point in the GDPR analysis is whether or not a company is marketing its business in the EU; in other words, does the company have a business presence within any EU Member State? In general, the following companies are subject to the GDPR:
- Companies with an operation within the EU;
- Companies outside the EU that offer their goods or services to “data subjects” [people] within the EU; and
- Companies monitoring the behavior of people in the EU.
What is the GDPR Compliance Deadline
All companies falling under the GDPR must be able to demonstrate compliance by May 25, 2018.
What are the Penalties for GDPR Non-Compliance
National Data Protection Authorities (“DPAs”) may issue fines for GDPR compliance failures up to a maximum of the greater of €20 million or four percent of a company’s worldwide revenue.
What Types of Personal Information is Governed by GDPR
The scope of “personal data” under GDPR is wide. In sum, any identifier, as listed below, related to a person (“Data Subject”) is in the scope of GDPR compliance requirements.
- A name,
- An identification number,
- Location data,
- An online identifier, or
- One or more factors specific to the:
- Cultural, or
- Social identity of that person.
For those companies “profiling” or monitoring the behavior of any person in the EU, any of the following information collected falls under the scope of the GDPR:
- Work performance,
- Economic situation,
- Personal preferences,
- Behavior, or
- Location or movements of a person.
The bottom line is, the GDPR is a significant regulatory consideration for any company collecting, storing, or processing “personal information” on any EU citizen residing within an EU country.
What Should an Organization Do to Prepare for the GDRP
- Develop and conduct a GDPR awareness program.
- Inventory, categorize, and assess the Personal Data collected, stored, processed, and disseminated by the business.
- Update and revise company privacy notices to reflect the new GDPR requirements.
- Review and revise current company data processing procedures to ensure they adhere to the rights of the Data Subjects.
- Install data processing procedures, which allow for the efficient and effective processing of Data Subject requests for information.
- Ensure that the business has a "Lawful Basis" for collecting the Personal Data it collects and update and revise current privacy notices to reflect such a lawful basis.
- Review business data collection Consent Notices to ensure that they are compliant with the GDPR's Data Subject Consent Regulations.
- Develop or enhance the business' existing data breach response plans to ensure the organization has an effective mechanism for detecting, responding to, and reporting a data breach.
- Employ a "Data Protection by Design and by Default" strategy.
- Install a qualified organizational Data Protection Officer.
CyberSquire is a Managed Security Service Provider (MSSP) delivering end-to-end cyber security as a service. CyberSquire's state-of-the-art Security Operations Center (SOC) is located on the campus of Syracuse University in Syracuse, New York. In addition to providing technical solutions to our clients, our core offering is privacy compliance services.
Please visit our GDPR Compliance Center to learn more about the GDPR and receive our regular updates on the GDPR.