What Is GDPR?
The General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/EC as a means of unifying and harmonizing data privacy laws across Europe for the protection of European consumers’ confidentiality when making transactions.
After four years of meetings, deliberations and considerations, the EU Parliament and Council came to an agreement in April 2016 that met their desired criteria in their goal to protect EU citizens’ personal data while also reducing the amount of red tape for businesses providing goods and services to EU customers
Who Is Subject to GDPR Requirements?
The GDPR was designed to impose a uniform data security law on any businesses that market and sell goods and services to EU residents, regardless of the business’s geographic location, inside or outside of the EU.
Businesses all around the world, including those based in the United States, are subject to the GDPR’s requirements when responsible for processing and holding personal data of data subjects residing in the European Union.
What Is The Deadline For GDPR Compliance?
The deadline for full GDPR compliance is May 25, 2018.
What Happens If My Organization Is Not GDPR Compliant?
The stiff administrative fines and penalties for GDPR non-compliance are discretionary, as opposed mandatory, and will be reviewed on a case-by-case basis. Depending on the nature of the compliance infringement, businesses may face one of two tiers of administrative fines:
- Up to €10 million, or 2% annual global turnover, or whichever is higher.
- Up to €20 million, or 4% annual global turnover, or whichever is higher.
Do I Need To Worry About GDPR Compliance For My Business?
If your organization provides goods and services to residents of any of the countries within the European Union, you must learn, understand and comply with the GDPR requirements.
What Are The Basic Requirements For GDPR Compliance?
The GDPR contains 11 chapters, 91 articles and more than 200 pages of requirements. However, we will help you become familiar with the GDPR by listing only those requirements that we believe will have the most impact on your business while getting started.
- Data Portability: The GDPR empowers EU individuals, giving them control over their own data. The right to data portability is a prime example of this empowerment, giving the individual the right to move his or her personal data from one organization to the next. The original organization must provide the data to the requesting consumer in a structured, commonly used and machine-readable format.
- Data Breach Notification: Businesses must do everything possible to protect consumer data, but in our current digital business climate, data breaches do occasionally occur. It is what companies do in the event of a data breach is what matters under the GDPR. Organizations must report a data breach to the supervisory authority within 72 hours. Additionally, if the security breach may result in high privacy risk scenarios for EU consumers, they must also receive notification of the breach.
- Inventory of Data: While the EU designers have removed certain functions that previously caused massive amounts of red tape, such as the requirement to notify local authorities when personal data is processed, organizations still must maintain proper records of processing activities.
- The Right to Be Forgotten: Data subjects, under the GDPR, are now afforded an elevated right to erasure of his or her personal data. Under the new regulation, all organizations must remove all data requested if just one condition—from a list of six items—is met.
- The Data Protection Officer: Every organization that a) is a public authority b) conducts monitoring of individuals for behavioral tracking for marketing purposes or otherwise or c) processes sensitive data, like health or criminal records, must appoint a data protection officer (DPO). A DPO must inform and advise the organization and its employees about the obligation to conform to the GDPR, as well as any other relevant data protection laws.
A few additional requirements to keep in mind include the anonymization of collected data to protect data privacy, the requirement of consent of data subjects for data processing, the safe handling when transferring data across borders and the specific protection of children—particularly those under the age of 16, regarding consent—when it comes to data collection and handling.
Features of the GDPR Readiness Assessment Program with I.S. Partners, LLC.
Our GDPR Readiness Assessment Program includes:
- Gap assessment to GDPR regulations
- Automated evidence gathering for process controls
- Efficiency for managing remediation activities by task/resource
- Dashboards and flexible reporting
- Management of documents and policies that can be applied to almost any process flow
Are You Ready For The GDPR Deadline?
In order to maintain your strong business relationships with your EU customers without facing fines and penalties, you must ensure that you are fully covered on the GDPR front. Our I.S. Partners, LLC. team has prepared our comprehensive GDPR Readiness Assessment Program to make sure your organization is fully GDPR compliant by the May 25, 2018 deadline.