The EU General Data Protection Regulation (GDPR) was designed to set a standard for data privacy laws throughout Europe, and to extend beyond those boundaries to protect the data of all EU citizens in this global economy. GDPR applies to all companies who process or store personal data of EU citizens, regardless of the company’s location.
Although the GDPR regulation was adopted in April 2016, there is a two-year transition period for organizations to understand and plan to meet the requirements. Those who do not comply can be fined up to 4% of global revenues or €20 Million (whichever is greater) for the most serious infringements; including not having sufficient permission from the subject to process their data, or by violating the core concepts of Privacy by Design.
Key areas of GDPR include:
- Data Protection Officer (DPO) must be in place if your company regularly engages in collection or storage of subject data.
- Consent – Consent of citizens must be obtained in an easily accessible form, parents must consent for minors under the age of 16.
- Increased territorial scope – As noted above, this is a global directive.
- Privacy by Design – Inclusion of data protection from the onset of system design through both technical and organization measures.
- Data Breach Notification – GDPR gives companies just 72 hours to report data breaches to authorities and affected parties.
- Penalties – Tiered approach to fines based on seriousness and nature of violation(s), up to €20 Million.
Start planning now! Here are the initial steps to take to make sure you are prepared:
- Determine if your organization processes or stores any personal data on EU citizens. This may include their name, a photo, bank details, social media posts, medical information and even their computer IP address.
- Map out your data flow of protected information to confirm your in scope systems for Privacy by Design.
- Budget now to conduct a Gap Assessment on in scope systems, as well as your policies and procedures. CIOs are already allocating funds to meet the requirements by 2018.
For questions specific to your organization, or assistance with the steps above, contact Foresite.