Many companies incorrectly believe that the GDPR doesn’t affect organizations outside of the European continent. Nothing could be more incorrect.
The European Union's General Data Protection Regulation, which will be enforced beginning in May 2018, will affect all organizations that handle Europeans' personal data - no matter where it is stored - Ohio, Singapore, or São Paulo.
What is GDPR?
The aims of the regulation are to protect the fundamental rights and freedoms of natural persons and to enshrine their right to protection of their personal data as well as the free movement of these data (see Art. 1 GDPR).
WHAT IMPACT WILL THE GDPR HAVE ON ORGANIZATIONS?
This regulation calls for a level of access and transparency like never before required. To comply with the General Data Protection Regulation, there are six major areas that companies will have to consider:
- Data protection through technology - Art. 25 GDPR
Companies are required to define internal strategies and initiate steps to ensure data protection through technology (by design) and as a standard approach (by default). Possible measures include minimizing and pseudonymizing the processing of personal data.
- Heightened Accountability - Art. 5 GDPR
Companies are required to ensure and demonstrate adherence to data protection regulations, for example through certification.
- Immediate notification requirements - Art. 33 GDPR
Companies are required to report data breaches within 72 hours, to the competent supervisory authority and the affected data subjects. Failure to do so may lead to fines of up to 20 million euros or 4% of the company's global annual turnover.
- Data protection officer - Art. 37–39 GDPR
According to the GDPR, the data protection officer's responsibilities include informing and advising the data controller or processor and the employees who carry out processing; monitoring compliance with the GDPR and national data protection provisions; awareness raising and training; providing advice as regards the data protection impact assessment and monitoring its performance; and cooperating with the supervisory authority.*
*Want to know if your company is required to appoint a DPO under the EU GDPR? Check out our DPO decision tree to find out.
- Data Protection Impact Assessment (DPIA) - Art. 35 GDPR
A DPIA must be performed "[...] where a type of processing, in particular, using new technologies, and taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons [...]". The data protection officer analyzes the risks of the process together with the technology owners and then submits a declaration on the legality of the data processing.
- Penalties and fines - Art. 83–84 GDPR
More severe fines and penalties are designed to deter companies from infringing against data protection regulations and to make companies more aware of the fact that offenses also violate the EU Charter of Fundamental Rights. Fines of up to 20 million euros or, for companies, up to 4% of annual turnover in the previous business year may be levied. Other penalties, such as seizure of profits, injunctions to end infringements, and permanent prohibition of data processing may also be imposed.
Which barriers are organizations facing in implementing GDPR protocols?
Companies face organizational and bureaucratic changes to prepare for and continually comply for GDPR. The General Data Protection Regulation forces businesses to be more transparent with the way they handle data. Data flows must be visible, and easily accessible to the end user. Companies previously over-collected personal data of the end user without a true purpose for the data. GDPR allows for a close examination of what data is being collected and for which purpose. The GDPR encourages a more regulated approach to the treatment of personal data.
The GDPR has numerous advantages due to the standardization it entails, but for many businesses, the new regulation is both a blessing and a curse. Learn how to prepare your company for the GDPR here.