The European Union’s (EU) General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years. This is not just important for firms that operate in Europe, but any firm that interacts with European citizens. Any company that holds data on EU citizens must comply.
The new rules were approved in April 2016 and will be enforced on 25 May 2018. Firms who are not in compliance will face heavy fines.
The objective of these new rules is to improve privacy and security of critical personal information. The rules are also designed to harmonize many different rules active across Europe and this should make overall compliance easier. But still, for most, compliance will require changes be put into place for how data is stored and also changes put in place for how people can be put in control of their own data.
Here is more:
- Fines for non-compliance are up to 4% of annual revenues.
- Customers must consent for processing of their data
- Personal data must be protected. This includes anything related to a natural person or anything that can be used to indirectly identify the person. This includes names, photos, email addresses, bank details, addresses, posts on social media sites, medical info, IP addresses
- The rule describes a new position, a Data Protection Officer (DPO), which will be required for firms that do large scale monitoring or processing of sensitive data
- Consent of users is required and it must be asked for and granted in specific ways before collecting and processing data.
- Citizens are given new authorities over their data including right to have it removed (a right to be forgotten)
- Data protections are expected to be designed into systems
- If there is a breach of personal information, the citizen will be notified and impact assessments done
- Transfer of data to other countries and organizations is regulated
- Companies are expected to maintain a state of the art cybersecurity architecture and posture
The outlines of this regulation are easy to understand yourself and we recommend every executive in a global business who has not yet reviewed the regulation do so at the GDPR website. The hard part is in building your transition plan towards compliance and then independently assessing your compliance.
Crucial Point has provided external augmentation to global firms in need of architecture advice for compliance with the GDPR and has also operated as advisors to legal and compliance teams to review readiness for the GDPR. For more on our compliance services see Crucial Point Compliance.