The GDPR contains 11 chapters, 91 articles and more than 200 pages of requirements. However, we will help you become familiar with the GDPR by listing only those requirements that we believe will have the most impact on your business while getting started.Â
Data Portability:
The GDPR empowers EU individuals, giving them control over their own data. The right to data portability is a prime example of this empowerment, giving the individual the right to move his or her personal data from one organization to the next. The original organization must provide the data to the requesting consumer in a structured, commonly used and machine-readable format.Â
Data Breach Notification:
Businesses must do everything possible to protect consumer data, but in our current digital business climate, data breaches do occasionally occur. It is what companies do in the event of a data breach is what matters under the GDPR. Organizations must report a data breach to the supervisory authority within 72 hours. Additionally, if the security breach may result in high privacy risk scenarios for EU consumers, they must also receive notification of the breach.Â
Inventory of Data:
While the EU designers have removed certain functions that previously caused massive amounts of red tape, such as the requirement to notify local authorities when personal data is processed, organizations still must maintain proper records of processing activities.Â
Right to Be Forgotten:
Data subjects, under the GDPR, are now afforded an elevated right to erasure of his or her personal data. Under the new regulation, all organizations must remove all data requested if just one condition—from a list of six items—is met.Â
Data Protection Officer:
Every organization that a) is a public authority b) conducts monitoring of individuals for behavioral tracking for marketing purposes or otherwise or c) processes sensitive data, like health or criminal records, must appoint a data protection officer (DPO). A DPO must inform and advise the organization and its employees about the obligation to conform to the GDPR, as well as any other relevant data protection laws.Â
A few additional requirements to keep in mind include the anonymization of collected data to protect data privacy, the requirement of consent of data subjects for data processing, the safe handling when transferring data across borders and the specific protection of children—particularly those under the age of 16, regarding consent—when it comes to data collection and handling.Â
The General Data Protection Regulation (GDPR) replaced the Data Protection Directive 95/46/EC to unify and harmonize data privacy laws across Europe to protect European consumers’ confidentiality when making transactions.Â
After four years of meetings, deliberations and considerations, the EU Parliament and Council came to an agreement in April 2016. The proposed GDPR regulations met the goals of protecting EU citizens’ personal data while reducing the red tape for businesses providing goods and services to EU customers.Â
The GDPR was designed to impose a uniform data security law on businesses that market and sell goods and services to EU residents, regardless of the business’s geographic location, inside or outside of the EU.
First, GDPR applies to all businesses and organizations based in the EU. Secondly, it applies to businesses all around the world, including those based in the United States, which are subject to the GDPR’s requirements when processing and storing personal data of data subjects residing in the European Union.Â
The heafty administrative fines and penalties for GDPR non-compliance are discretionary, as opposed mandatory, and are reviewed on a case-by-case basis.
Depending on the nature of the compliance infringement, businesses face one of two tiers of administrative fines:Â
🞄 Up to €10 million, or 2% annual global turnover, or whichever is higher.Â
🞄 Up to €20 million, or 4% annual global turnover, or whichever is higher.Â
No, not currently. Though comprehensive personal data protection laws have been proposed at the federal level, none have gained enough political support to be passed as a nationwide law. Many states have adopted data protection laws that require companies to protect personal consumer information of state residents – including California’s CCPA and the NYDFS Cybersecurity Regulation in New York. But the lack of a GDPR equivalent in US is notable.Â
If your organization provides goods and services to residents of any European Union country, you must learn, understand and comply with the GDPR requirements.Â
No official GDPR compliance certification is issued by any EU governmental authority, as GDPR compliance is generally considered an ongoing process. However, our accredited firm offers GDPR compliance certification badges, which prove adherence to GDPR principles for the companies we audit.