GDPR and Your Business
New regulations slated to go into effect on May 25th, 2018 are designed to provide greater protections to the personal data of individuals located in the European Union.
The General Data Protection Regulation or "GDPR" imposes a host of new obligations on both "controllers" and "processors" of suck data. Additionally, the GDPR calls for large penalties when companies fail to comply with these new obligations.
So What Exactly Is General Data Protection Regulation (GDPR)
GDPR simply put is a list of obligations and regulations governing the way businesses handle consumer data.
This legislation was drafted in order to align existing data protocols and increase the levels of protection for individuals regarding privacy and the handling of their data/information. They are designed to help customers and consumers maintain a greater level of control over their data by offering more transparency throughout the data collection process.
GDPR is a regulation that all US based businesses must take seriously. Because you are based in the US does not mean that you are free from the penalties that can and will be imposed if you violate compliance.
Requirements of GDPR and How You Can Be Compliant
- Obtaining consent: Ensure that your terms of consent are clear. Do not over complicate or fill your terms and conditions with complex language that may confuse your users. Consent must be easily given and freely withdrawn at any time.
- Timely breach notification: If a security breach occurs, GDPR states that you have 72 hours to report the data breach to both your customers. In addition if your company is large enough to require a GDPR data controller, you must report that breach to the controller as well. Any failure to report breaches within this time frame will result in fines.
- Right to data access: Your users have the right to request any information related to their existing data profile and you must be able to serve them with a fully detailed and free electronic copy of the data you’ve collected about them. This report must also include the various ways you’re using their information.
- Data Deletion: Also known as the right to be forgotten, once the original purpose or use of the customer data has been realized, your customers have the right to request that you totally erase their personal data.
- Data portability: Users have a right to their own data. You must provide a mechanism in which the user is able to obtain their data from you and reuse that same data in different environments outside of your company.
- Privacy by design: This section of GDPR requires companies to design their systems with the proper security protocols in place from the start. Failure to design your systems of data collection the right way will result in a fine.
- Potential data protection officers: In some cases, your company may need to appoint a data protection officer (DPO). Whether or not you need an officer depends upon the size of your company and at what level you currently process and collect data.
What Happens If I Am Not GDPR Compliant?
Failure to comply with the GDPR regulations can result in very sever fines. There are several different levels of fines ranging from €20million, or up to 4 percent of the offending organization’s annual revenue — whichever is greater.
For lesser offences, the fine will be cut in half to €10million, or up to 2 percent of the offending organization’s annual revenue — again, whichever is greater.
The higher level fines will be assessed to cases in which data infringement occurs, procedures for handling data aren’t in place, an unauthorized transfer of data occurs, or requests are ignored for customer data access.
The lower level fines will apply to the misuse of data, but on a minor scale. For example, failing to report a data breach, failing to notify your customers about the recent breach, or failing to administer the correct data protection protocols.
The extent of the fines your company could receive depends upon how severe the breach is, and the compliance actions you’ve taken as a result of the breach.