NEW REGULATIONS: Doing Business with European Countries
October 3, 2017
The General Data Protection Regulation (GDPR) will go into effect May 2018. Is your business ready?
After four years of preparation and debate, the GDPR was approved by the EU Parliament on 14 April 2016. The current proposed Enforcement date is: 25 May 2018 - at which time organizations found to be in non-compliance will face heavy fines.
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens' data privacy, and to reshape the way organizations across the world approach data privacy.
Who does the GDPR affect?
The GDPR not only applies to organizations located within the EU, but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects.
It applies to all companies processing and holding the personal data of persons residing in the European Union, regardless of the company’s location.
What are the penalties for non-compliance?
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements (e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.)
There is a tiered approach to fines as well. For example, a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement.
What constitutes personal data?
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.