GDPR will go into effect May 2018. Are you ready?
In the wake of ever-increasing cyber security and data privacy threats across the globe, it’s no surprise that GDPR policies have been modified to harmonize data privacy laws across Europe and increase data privacy protections. As the deadline for compliance draws near, you may be wondering what exactly this regulation entails and if and how your company may be affected.
What is GDPR?
The General Data Protection Regulation (GDPR) is a European Union Regulation aimed at enhancing the protection of all EU citizens from privacy and data breaches. It was first enacted in 1995, but recent changes to the policy may have an effect on your company and how you process data. Key changes to GDPR include an increase in territorial scope, strengthened conditions for consent, and heightened penalties for those in non- compliance (up to $23,881,000 USD, or four percent of your company’s annual global turnover, whichever is greater).
As a result of these changes, requests for consent must now be given in an easily accessible form, with the purpose of the data processing included. Consent must be distinguishable from other matters and must be written in clear and concise language. It must also be as easy to withdraw consent as it is to give it, as EU citizens may request their data be restricted, moved, or erased at any time.
When will GDPR go into effect?
The regulation is scheduled to go into effect on May 25, 2018.
Who does GDPR affect?
GDPR is not exclusive to organizations located within the EU. It also applies to organizations located outside of the EU that offer goods or services to, or monitor the behavior of, EU data subjects. This includes any US company that collects, or sends to, EU email addresses.
What constitutes personal data?
Under GDPR, personal data includes any information relating to an identified person. This can include name, ID number, location data, online identifier or other factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person. Also included are IP addresses, social media posts, online contacts, or mobile device IDs.
If your company currently does, or is planning to do, business in Europe, there are a few steps you can take to become GDPR compliant.
- Become familiar with the regulation. Understand the legislation and terminology and how it may affect you.
- Conduct an analysis of current data and your process of collecting it.
- Consider what types of data you collect, where it is stored, and what measures you’re taking to manage and protect it.
- Ask for consent.
- Be transparent about what the information collected is to be used for, and for how long it will be used. Your company’s intention should be explicitly stated, meaning that it cannot be hidden within lines of a privacy policy.
A report by Gartner predicts that more than 50 percent of companies affected by GDPR will not be in full compliance with its requirements by the end of 2018. Don’t wait until it’s too late! Becoming GDPR compliant now can help you avoid costly fines and improve your data processing and security measures. If you have questions about what you can do or how the regulation may affect you, feel free to contact us here.